diff --git a/.gitignore b/.gitignore index 877aae1..5b545b4 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /libnftnl-1.2.4.tar.bz2 /libnftnl-1.2.5.tar.xz /libnftnl-1.2.6.tar.xz +/libnftnl-1.2.7.tar.xz diff --git a/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch b/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch deleted file mode 100644 index de444b8..0000000 --- a/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 64b18b08a4c7ff6baeca536100e34aacbbafa7f3 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 26 Oct 2023 18:05:02 +0200 -Subject: [PATCH] set: Do not leave free'd expr_list elements in place - -JIRA: https://issues.redhat.com/browse/RHEL-14149 -Upstream Status: libnftnl commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9 - -commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9 -Author: Phil Sutter -Date: Wed May 31 14:09:09 2023 +0200 - - set: Do not leave free'd expr_list elements in place - - When freeing elements, remove them also to prevent a potential UAF. - - Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685 - Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/set.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/src/set.c b/src/set.c -index c46f827..719e596 100644 ---- a/src/set.c -+++ b/src/set.c -@@ -54,8 +54,10 @@ void nftnl_set_free(const struct nftnl_set *s) - if (s->flags & (1 << NFTNL_SET_USERDATA)) - xfree(s->user.data); - -- list_for_each_entry_safe(expr, next, &s->expr_list, head) -+ list_for_each_entry_safe(expr, next, &s->expr_list, head) { -+ list_del(&expr->head); - nftnl_expr_free(expr); -+ } - - list_for_each_entry_safe(elem, tmp, &s->element_list, head) { - list_del(&elem->head); -@@ -105,8 +107,10 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr) - break; - case NFTNL_SET_EXPR: - case NFTNL_SET_EXPRESSIONS: -- list_for_each_entry_safe(expr, tmp, &s->expr_list, head) -+ list_for_each_entry_safe(expr, tmp, &s->expr_list, head) { -+ list_del(&expr->head); - nftnl_expr_free(expr); -+ } - break; - default: - return; -@@ -210,8 +214,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, - s->user.len = data_len; - break; - case NFTNL_SET_EXPR: -- list_for_each_entry_safe(expr, tmp, &s->expr_list, head) -+ list_for_each_entry_safe(expr, tmp, &s->expr_list, head) { -+ list_del(&expr->head); - nftnl_expr_free(expr); -+ } - - expr = (void *)data; - list_add(&expr->head, &s->expr_list); -@@ -742,8 +748,10 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) - - return 0; - out_set_expr: -- list_for_each_entry_safe(expr, next, &s->expr_list, head) -+ list_for_each_entry_safe(expr, next, &s->expr_list, head) { -+ list_del(&expr->head); - nftnl_expr_free(expr); -+ } - - return -1; - } diff --git a/0002-expr-fix-buffer-overflows-in-data-value-setters.patch b/0002-expr-fix-buffer-overflows-in-data-value-setters.patch deleted file mode 100644 index 2b5a912..0000000 --- a/0002-expr-fix-buffer-overflows-in-data-value-setters.patch +++ /dev/null @@ -1,144 +0,0 @@ -From b88949c0d64c96683e581cbefada07de4c83eff9 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] expr: fix buffer overflows in data value setters - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit bc2afbde9eae491bcef23ef5b24b25c7605ad911 - -commit bc2afbde9eae491bcef23ef5b24b25c7605ad911 -Author: Florian Westphal -Date: Tue Dec 12 15:01:17 2023 +0100 - - expr: fix buffer overflows in data value setters - - The data value setters memcpy() to a fixed-size buffer, but its very easy - to make nft pass too-larger values. Example: - @th,160,1272 gt 0 - - ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..] - - Truncate the copy instead of corrupting the heap. - This needs additional fixes on nft side to reject such statements with a - proper error message. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/data_reg.h | 2 ++ - src/expr/bitwise.c | 12 +++--------- - src/expr/cmp.c | 4 +--- - src/expr/data_reg.c | 14 ++++++++++++++ - src/expr/immediate.c | 4 +--- - src/expr/range.c | 8 ++------ - 6 files changed, 23 insertions(+), 21 deletions(-) - -diff --git a/include/data_reg.h b/include/data_reg.h -index 6d2dc66..5ee7080 100644 ---- a/include/data_reg.h -+++ b/include/data_reg.h -@@ -37,4 +37,6 @@ struct nlattr; - int nftnl_parse_data(union nftnl_data_reg *data, struct nlattr *attr, int *type); - void nftnl_free_verdict(const union nftnl_data_reg *data); - -+int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len); -+ - #endif -diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c -index 2d27233..e5dba82 100644 ---- a/src/expr/bitwise.c -+++ b/src/expr/bitwise.c -@@ -51,17 +51,11 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type, - memcpy(&bitwise->len, data, sizeof(bitwise->len)); - break; - case NFTNL_EXPR_BITWISE_MASK: -- memcpy(&bitwise->mask.val, data, data_len); -- bitwise->mask.len = data_len; -- break; -+ return nftnl_data_cpy(&bitwise->mask, data, data_len); - case NFTNL_EXPR_BITWISE_XOR: -- memcpy(&bitwise->xor.val, data, data_len); -- bitwise->xor.len = data_len; -- break; -+ return nftnl_data_cpy(&bitwise->xor, data, data_len); - case NFTNL_EXPR_BITWISE_DATA: -- memcpy(&bitwise->data.val, data, data_len); -- bitwise->data.len = data_len; -- break; -+ return nftnl_data_cpy(&bitwise->data, data, data_len); - default: - return -1; - } -diff --git a/src/expr/cmp.c b/src/expr/cmp.c -index f9d15bb..1d396e8 100644 ---- a/src/expr/cmp.c -+++ b/src/expr/cmp.c -@@ -42,9 +42,7 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type, - memcpy(&cmp->op, data, sizeof(cmp->op)); - break; - case NFTNL_EXPR_CMP_DATA: -- memcpy(&cmp->data.val, data, data_len); -- cmp->data.len = data_len; -- break; -+ return nftnl_data_cpy(&cmp->data, data, data_len); - default: - return -1; - } -diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c -index 2633a77..690b23d 100644 ---- a/src/expr/data_reg.c -+++ b/src/expr/data_reg.c -@@ -217,3 +217,17 @@ void nftnl_free_verdict(const union nftnl_data_reg *data) - break; - } - } -+ -+int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len) -+{ -+ int ret = 0; -+ -+ if (len > sizeof(dreg->val)) { -+ len = sizeof(dreg->val); -+ ret = -1; -+ } -+ -+ memcpy(dreg->val, src, len); -+ dreg->len = len; -+ return ret; -+} -diff --git a/src/expr/immediate.c b/src/expr/immediate.c -index 5d477a8..f56aa8f 100644 ---- a/src/expr/immediate.c -+++ b/src/expr/immediate.c -@@ -36,9 +36,7 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, - memcpy(&imm->dreg, data, sizeof(imm->dreg)); - break; - case NFTNL_EXPR_IMM_DATA: -- memcpy(&imm->data.val, data, data_len); -- imm->data.len = data_len; -- break; -+ return nftnl_data_cpy(&imm->data, data, data_len); - case NFTNL_EXPR_IMM_VERDICT: - memcpy(&imm->data.verdict, data, sizeof(imm->data.verdict)); - break; -diff --git a/src/expr/range.c b/src/expr/range.c -index 473add8..5a30e48 100644 ---- a/src/expr/range.c -+++ b/src/expr/range.c -@@ -40,13 +40,9 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type, - memcpy(&range->op, data, sizeof(range->op)); - break; - case NFTNL_EXPR_RANGE_FROM_DATA: -- memcpy(&range->data_from.val, data, data_len); -- range->data_from.len = data_len; -- break; -+ return nftnl_data_cpy(&range->data_from, data, data_len); - case NFTNL_EXPR_RANGE_TO_DATA: -- memcpy(&range->data_to.val, data, data_len); -- range->data_to.len = data_len; -- break; -+ return nftnl_data_cpy(&range->data_to, data, data_len); - default: - return -1; - } diff --git a/0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch b/0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch deleted file mode 100644 index 71799d2..0000000 --- a/0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0d1d0bc545fdf355e19556153c3bb50d3bca29af Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 407f616ea53184ac3bfb9930d3f27ae1cff9c348 - -commit 407f616ea53184ac3bfb9930d3f27ae1cff9c348 -Author: Pablo Neira Ayuso -Date: Thu Jan 11 01:13:37 2024 +0100 - - set: buffer overflow in NFTNL_SET_DESC_CONCAT setter - - Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16 - bytes, otherwise, bail out. Ensure s->desc.field_count does not go over - the array boundary. - - Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/set.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/set.c b/src/set.c -index 719e596..b51ff9e 100644 ---- a/src/set.c -+++ b/src/set.c -@@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, - memcpy(&s->desc.size, data, sizeof(s->desc.size)); - break; - case NFTNL_SET_DESC_CONCAT: -+ if (data_len > sizeof(s->desc.field_len)) -+ return -1; -+ - memcpy(&s->desc.field_len, data, data_len); -- while (s->desc.field_len[++s->desc.field_count]); -+ while (s->desc.field_len[++s->desc.field_count]) { -+ if (s->desc.field_count >= NFT_REG32_COUNT) -+ break; -+ } - break; - case NFTNL_SET_TIMEOUT: - memcpy(&s->timeout, data, sizeof(s->timeout)); diff --git a/0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch b/0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch deleted file mode 100644 index 1c4df05..0000000 --- a/0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch +++ /dev/null @@ -1,60 +0,0 @@ -From aecf2107e075bc45e584badf1c67c0badfd116a5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] set_elem: use nftnl_data_cpy() in - NFTNL_SET_ELEM_{KEY,KEY_END,DATA} - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 974af82c0bb0bc5958ccd759bd3a0f2bddbc8d83 - -commit 974af82c0bb0bc5958ccd759bd3a0f2bddbc8d83 -Author: Pablo Neira Ayuso -Date: Fri Jan 12 12:33:38 2024 +0100 - - set_elem: use nftnl_data_cpy() in NFTNL_SET_ELEM_{KEY,KEY_END,DATA} - - Use safe nftnl_data_cpy() to copy key into union nftnl_data_reg. - - Follow up for commit: - - bc2afbde9eae ("expr: fix buffer overflows in data value setters") - - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/set_elem.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/set_elem.c b/src/set_elem.c -index 884faff..9207a0d 100644 ---- a/src/set_elem.c -+++ b/src/set_elem.c -@@ -126,12 +126,12 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, - memcpy(&s->set_elem_flags, data, sizeof(s->set_elem_flags)); - break; - case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */ -- memcpy(&s->key.val, data, data_len); -- s->key.len = data_len; -+ if (nftnl_data_cpy(&s->key, data, data_len) < 0) -+ return -1; - break; - case NFTNL_SET_ELEM_KEY_END: /* NFTA_SET_ELEM_KEY_END */ -- memcpy(&s->key_end.val, data, data_len); -- s->key_end.len = data_len; -+ if (nftnl_data_cpy(&s->key_end, data, data_len) < 0) -+ return -1; - break; - case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */ - memcpy(&s->data.verdict, data, sizeof(s->data.verdict)); -@@ -145,8 +145,8 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, - return -1; - break; - case NFTNL_SET_ELEM_DATA: /* NFTA_SET_ELEM_DATA */ -- memcpy(s->data.val, data, data_len); -- s->data.len = data_len; -+ if (nftnl_data_cpy(&s->data, data, data_len) < 0) -+ return -1; - break; - case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */ - memcpy(&s->timeout, data, sizeof(s->timeout)); diff --git a/0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch b/0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch deleted file mode 100644 index d806536..0000000 --- a/0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch +++ /dev/null @@ -1,72 +0,0 @@ -From ec6136e9d14c36daf6c59fc99c051ed3ac4cd0f2 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] obj: ct_timeout: setter checks for timeout array boundaries - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 7e6a10e4a57aaf72c74c21d2ed7d2be8289d0f6f - -commit 7e6a10e4a57aaf72c74c21d2ed7d2be8289d0f6f -Author: Pablo Neira Ayuso -Date: Thu Jan 25 17:34:40 2024 +0100 - - obj: ct_timeout: setter checks for timeout array boundaries - - Use _MAX definitions for timeout attribute arrays and check that - timeout array is not larger than NFTNL_CTTIMEOUT_ARRAY_MAX. - - Fixes: 0adceeab1597 ("src: add ct timeout support") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/obj/ct_timeout.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c -index 65b48bd..fedf9e3 100644 ---- a/src/obj/ct_timeout.c -+++ b/src/obj/ct_timeout.c -@@ -21,7 +21,7 @@ - - #include "obj.h" - --static const char *const tcp_state_to_name[] = { -+static const char *const tcp_state_to_name[NFTNL_CTTIMEOUT_TCP_MAX] = { - [NFTNL_CTTIMEOUT_TCP_SYN_SENT] = "SYN_SENT", - [NFTNL_CTTIMEOUT_TCP_SYN_RECV] = "SYN_RECV", - [NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = "ESTABLISHED", -@@ -35,7 +35,7 @@ static const char *const tcp_state_to_name[] = { - [NFTNL_CTTIMEOUT_TCP_UNACK] = "UNACKNOWLEDGED", - }; - --static uint32_t tcp_dflt_timeout[] = { -+static uint32_t tcp_dflt_timeout[NFTNL_CTTIMEOUT_TCP_MAX] = { - [NFTNL_CTTIMEOUT_TCP_SYN_SENT] = 120, - [NFTNL_CTTIMEOUT_TCP_SYN_RECV] = 60, - [NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = 432000, -@@ -49,12 +49,12 @@ static uint32_t tcp_dflt_timeout[] = { - [NFTNL_CTTIMEOUT_TCP_UNACK] = 300, - }; - --static const char *const udp_state_to_name[] = { -+static const char *const udp_state_to_name[NFTNL_CTTIMEOUT_UDP_MAX] = { - [NFTNL_CTTIMEOUT_UDP_UNREPLIED] = "UNREPLIED", - [NFTNL_CTTIMEOUT_UDP_REPLIED] = "REPLIED", - }; - --static uint32_t udp_dflt_timeout[] = { -+static uint32_t udp_dflt_timeout[NFTNL_CTTIMEOUT_UDP_MAX] = { - [NFTNL_CTTIMEOUT_UDP_UNREPLIED] = 30, - [NFTNL_CTTIMEOUT_UDP_REPLIED] = 180, - }; -@@ -156,6 +156,9 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type, - memcpy(&timeout->l4proto, data, sizeof(timeout->l4proto)); - break; - case NFTNL_OBJ_CT_TIMEOUT_ARRAY: -+ if (data_len < sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX) -+ return -1; -+ - memcpy(timeout->timeout, data, - sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX); - break; diff --git a/0006-udata-incorrect-userdata-buffer-size-validation.patch b/0006-udata-incorrect-userdata-buffer-size-validation.patch deleted file mode 100644 index 2a31267..0000000 --- a/0006-udata-incorrect-userdata-buffer-size-validation.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f0cae2477f6e2292f315c1480c4a08d811dcb977 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] udata: incorrect userdata buffer size validation - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit a4bcdfa6200ef1945a8f936a4474b59666c8dcca - -commit a4bcdfa6200ef1945a8f936a4474b59666c8dcca -Author: Pablo Neira Ayuso -Date: Mon Feb 26 17:31:19 2024 +0100 - - udata: incorrect userdata buffer size validation - - Use the current remaining space in the buffer to ensure more userdata - attributes still fit in, buf->size is the total size of the userdata - buffer. - - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/udata.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/udata.c b/src/udata.c -index 0cc3520..e9bfc35 100644 ---- a/src/udata.c -+++ b/src/udata.c -@@ -42,6 +42,11 @@ uint32_t nftnl_udata_buf_len(const struct nftnl_udata_buf *buf) - return (uint32_t)(buf->end - buf->data); - } - -+static uint32_t nftnl_udata_buf_space(const struct nftnl_udata_buf *buf) -+{ -+ return buf->size - nftnl_udata_buf_len(buf); -+} -+ - EXPORT_SYMBOL(nftnl_udata_buf_data); - void *nftnl_udata_buf_data(const struct nftnl_udata_buf *buf) - { -@@ -74,7 +79,8 @@ bool nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len, - { - struct nftnl_udata *attr; - -- if (len > UINT8_MAX || buf->size < len + sizeof(struct nftnl_udata)) -+ if (len > UINT8_MAX || -+ nftnl_udata_buf_space(buf) < len + sizeof(struct nftnl_udata)) - return false; - - attr = (struct nftnl_udata *)buf->end; diff --git a/0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch b/0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch deleted file mode 100644 index 8b8f49b..0000000 --- a/0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch +++ /dev/null @@ -1,872 +0,0 @@ -From d131ee36bcd2ff923f8678bea6f8bc6dfe6da7bb Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] expr: Repurpose struct expr_ops::max_attr field - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 4ed45d7bbbb9f914c934af327ee0271bcc909302 - -commit 4ed45d7bbbb9f914c934af327ee0271bcc909302 -Author: Phil Sutter -Date: Wed Dec 13 14:56:49 2023 +0100 - - expr: Repurpose struct expr_ops::max_attr field - - Instead of holding the maximum kernel space (NFTA_*) attribute value, - use it to hold the maximum expression attribute (NFTNL_EXPR_*) value - instead. This will be used for index boundary checks in an attribute - policy array later. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/expr_ops.h | 2 +- - include/libnftnl/expr.h | 39 +++++++++++++++++++++++++++++++++++++++ - src/expr/bitwise.c | 2 +- - src/expr/byteorder.c | 2 +- - src/expr/cmp.c | 2 +- - src/expr/connlimit.c | 2 +- - src/expr/counter.c | 2 +- - src/expr/ct.c | 2 +- - src/expr/dup.c | 2 +- - src/expr/dynset.c | 2 +- - src/expr/exthdr.c | 2 +- - src/expr/fib.c | 2 +- - src/expr/flow_offload.c | 2 +- - src/expr/fwd.c | 2 +- - src/expr/hash.c | 2 +- - src/expr/immediate.c | 2 +- - src/expr/inner.c | 2 +- - src/expr/last.c | 2 +- - src/expr/limit.c | 2 +- - src/expr/log.c | 2 +- - src/expr/lookup.c | 2 +- - src/expr/masq.c | 2 +- - src/expr/match.c | 2 +- - src/expr/meta.c | 2 +- - src/expr/nat.c | 2 +- - src/expr/numgen.c | 2 +- - src/expr/objref.c | 2 +- - src/expr/osf.c | 2 +- - src/expr/payload.c | 2 +- - src/expr/queue.c | 2 +- - src/expr/quota.c | 2 +- - src/expr/range.c | 2 +- - src/expr/redir.c | 2 +- - src/expr/reject.c | 2 +- - src/expr/rt.c | 2 +- - src/expr/socket.c | 2 +- - src/expr/synproxy.c | 2 +- - src/expr/target.c | 2 +- - src/expr/tproxy.c | 2 +- - src/expr/tunnel.c | 2 +- - src/expr/xfrm.c | 2 +- - 41 files changed, 79 insertions(+), 40 deletions(-) - -diff --git a/include/expr_ops.h b/include/expr_ops.h -index a7d747a..51b2214 100644 ---- a/include/expr_ops.h -+++ b/include/expr_ops.h -@@ -11,7 +11,7 @@ struct nftnl_expr; - struct expr_ops { - const char *name; - uint32_t alloc_len; -- int max_attr; -+ int nftnl_max_attr; - void (*init)(const struct nftnl_expr *e); - void (*free)(const struct nftnl_expr *e); - int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len); -diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h -index 9873228..fba1210 100644 ---- a/include/libnftnl/expr.h -+++ b/include/libnftnl/expr.h -@@ -56,6 +56,7 @@ enum { - NFTNL_EXPR_PAYLOAD_CSUM_TYPE, - NFTNL_EXPR_PAYLOAD_CSUM_OFFSET, - NFTNL_EXPR_PAYLOAD_FLAGS, -+ __NFTNL_EXPR_PAYLOAD_MAX - }; - - enum { -@@ -65,34 +66,40 @@ enum { - NFTNL_EXPR_NG_OFFSET, - NFTNL_EXPR_NG_SET_NAME, /* deprecated */ - NFTNL_EXPR_NG_SET_ID, /* deprecated */ -+ __NFTNL_EXPR_NG_MAX - }; - - enum { - NFTNL_EXPR_META_KEY = NFTNL_EXPR_BASE, - NFTNL_EXPR_META_DREG, - NFTNL_EXPR_META_SREG, -+ __NFTNL_EXPR_META_MAX - }; - - enum { - NFTNL_EXPR_RT_KEY = NFTNL_EXPR_BASE, - NFTNL_EXPR_RT_DREG, -+ __NFTNL_EXPR_RT_MAX - }; - - enum { - NFTNL_EXPR_SOCKET_KEY = NFTNL_EXPR_BASE, - NFTNL_EXPR_SOCKET_DREG, - NFTNL_EXPR_SOCKET_LEVEL, -+ __NFTNL_EXPR_SOCKET_MAX - }; - - enum { - NFTNL_EXPR_TUNNEL_KEY = NFTNL_EXPR_BASE, - NFTNL_EXPR_TUNNEL_DREG, -+ __NFTNL_EXPR_TUNNEL_MAX - }; - - enum { - NFTNL_EXPR_CMP_SREG = NFTNL_EXPR_BASE, - NFTNL_EXPR_CMP_OP, - NFTNL_EXPR_CMP_DATA, -+ __NFTNL_EXPR_CMP_MAX - }; - - enum { -@@ -100,6 +107,7 @@ enum { - NFTNL_EXPR_RANGE_OP, - NFTNL_EXPR_RANGE_FROM_DATA, - NFTNL_EXPR_RANGE_TO_DATA, -+ __NFTNL_EXPR_RANGE_MAX - }; - - enum { -@@ -108,16 +116,19 @@ enum { - NFTNL_EXPR_IMM_VERDICT, - NFTNL_EXPR_IMM_CHAIN, - NFTNL_EXPR_IMM_CHAIN_ID, -+ __NFTNL_EXPR_IMM_MAX - }; - - enum { - NFTNL_EXPR_CTR_PACKETS = NFTNL_EXPR_BASE, - NFTNL_EXPR_CTR_BYTES, -+ __NFTNL_EXPR_CTR_MAX - }; - - enum { - NFTNL_EXPR_CONNLIMIT_COUNT = NFTNL_EXPR_BASE, - NFTNL_EXPR_CONNLIMIT_FLAGS, -+ __NFTNL_EXPR_CONNLIMIT_MAX - }; - - enum { -@@ -128,18 +139,21 @@ enum { - NFTNL_EXPR_BITWISE_XOR, - NFTNL_EXPR_BITWISE_OP, - NFTNL_EXPR_BITWISE_DATA, -+ __NFTNL_EXPR_BITWISE_MAX - }; - - enum { - NFTNL_EXPR_TG_NAME = NFTNL_EXPR_BASE, - NFTNL_EXPR_TG_REV, - NFTNL_EXPR_TG_INFO, -+ __NFTNL_EXPR_TG_MAX - }; - - enum { - NFTNL_EXPR_MT_NAME = NFTNL_EXPR_BASE, - NFTNL_EXPR_MT_REV, - NFTNL_EXPR_MT_INFO, -+ __NFTNL_EXPR_MT_MAX - }; - - enum { -@@ -150,12 +164,14 @@ enum { - NFTNL_EXPR_NAT_REG_PROTO_MIN, - NFTNL_EXPR_NAT_REG_PROTO_MAX, - NFTNL_EXPR_NAT_FLAGS, -+ __NFTNL_EXPR_NAT_MAX - }; - - enum { - NFTNL_EXPR_TPROXY_FAMILY = NFTNL_EXPR_BASE, - NFTNL_EXPR_TPROXY_REG_ADDR, - NFTNL_EXPR_TPROXY_REG_PORT, -+ __NFTNL_EXPR_TPROXY_MAX - }; - - enum { -@@ -164,6 +180,7 @@ enum { - NFTNL_EXPR_LOOKUP_SET, - NFTNL_EXPR_LOOKUP_SET_ID, - NFTNL_EXPR_LOOKUP_FLAGS, -+ __NFTNL_EXPR_LOOKUP_MAX - }; - - enum { -@@ -176,6 +193,7 @@ enum { - NFTNL_EXPR_DYNSET_EXPR, - NFTNL_EXPR_DYNSET_EXPRESSIONS, - NFTNL_EXPR_DYNSET_FLAGS, -+ __NFTNL_EXPR_DYNSET_MAX - }; - - enum { -@@ -185,6 +203,7 @@ enum { - NFTNL_EXPR_LOG_QTHRESHOLD, - NFTNL_EXPR_LOG_LEVEL, - NFTNL_EXPR_LOG_FLAGS, -+ __NFTNL_EXPR_LOG_MAX - }; - - enum { -@@ -195,6 +214,7 @@ enum { - NFTNL_EXPR_EXTHDR_FLAGS, - NFTNL_EXPR_EXTHDR_OP, - NFTNL_EXPR_EXTHDR_SREG, -+ __NFTNL_EXPR_EXTHDR_MAX - }; - - enum { -@@ -202,6 +222,7 @@ enum { - NFTNL_EXPR_CT_KEY, - NFTNL_EXPR_CT_DIR, - NFTNL_EXPR_CT_SREG, -+ __NFTNL_EXPR_CT_MAX - }; - - enum { -@@ -210,6 +231,7 @@ enum { - NFTNL_EXPR_BYTEORDER_OP, - NFTNL_EXPR_BYTEORDER_LEN, - NFTNL_EXPR_BYTEORDER_SIZE, -+ __NFTNL_EXPR_BYTEORDER_MAX - }; - - enum { -@@ -218,11 +240,13 @@ enum { - NFTNL_EXPR_LIMIT_BURST, - NFTNL_EXPR_LIMIT_TYPE, - NFTNL_EXPR_LIMIT_FLAGS, -+ __NFTNL_EXPR_LIMIT_MAX - }; - - enum { - NFTNL_EXPR_REJECT_TYPE = NFTNL_EXPR_BASE, - NFTNL_EXPR_REJECT_CODE, -+ __NFTNL_EXPR_REJECT_MAX - }; - - enum { -@@ -230,39 +254,46 @@ enum { - NFTNL_EXPR_QUEUE_TOTAL, - NFTNL_EXPR_QUEUE_FLAGS, - NFTNL_EXPR_QUEUE_SREG_QNUM, -+ __NFTNL_EXPR_QUEUE_MAX - }; - - enum { - NFTNL_EXPR_QUOTA_BYTES = NFTNL_EXPR_BASE, - NFTNL_EXPR_QUOTA_FLAGS, - NFTNL_EXPR_QUOTA_CONSUMED, -+ __NFTNL_EXPR_QUOTA_MAX - }; - - enum { - NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE, - NFTNL_EXPR_MASQ_REG_PROTO_MIN, - NFTNL_EXPR_MASQ_REG_PROTO_MAX, -+ __NFTNL_EXPR_MASQ_MAX - }; - - enum { - NFTNL_EXPR_REDIR_REG_PROTO_MIN = NFTNL_EXPR_BASE, - NFTNL_EXPR_REDIR_REG_PROTO_MAX, - NFTNL_EXPR_REDIR_FLAGS, -+ __NFTNL_EXPR_REDIR_MAX - }; - - enum { - NFTNL_EXPR_DUP_SREG_ADDR = NFTNL_EXPR_BASE, - NFTNL_EXPR_DUP_SREG_DEV, -+ __NFTNL_EXPR_DUP_MAX - }; - - enum { - NFTNL_EXPR_FLOW_TABLE_NAME = NFTNL_EXPR_BASE, -+ __NFTNL_EXPR_FLOW_MAX - }; - - enum { - NFTNL_EXPR_FWD_SREG_DEV = NFTNL_EXPR_BASE, - NFTNL_EXPR_FWD_SREG_ADDR, - NFTNL_EXPR_FWD_NFPROTO, -+ __NFTNL_EXPR_FWD_MAX - }; - - enum { -@@ -275,12 +306,14 @@ enum { - NFTNL_EXPR_HASH_TYPE, - NFTNL_EXPR_HASH_SET_NAME, /* deprecated */ - NFTNL_EXPR_HASH_SET_ID, /* deprecated */ -+ __NFTNL_EXPR_HASH_MAX - }; - - enum { - NFTNL_EXPR_FIB_DREG = NFTNL_EXPR_BASE, - NFTNL_EXPR_FIB_RESULT, - NFTNL_EXPR_FIB_FLAGS, -+ __NFTNL_EXPR_FIB_MAX - }; - - enum { -@@ -289,12 +322,14 @@ enum { - NFTNL_EXPR_OBJREF_SET_SREG, - NFTNL_EXPR_OBJREF_SET_NAME, - NFTNL_EXPR_OBJREF_SET_ID, -+ __NFTNL_EXPR_OBJREF_MAX - }; - - enum { - NFTNL_EXPR_OSF_DREG = NFTNL_EXPR_BASE, - NFTNL_EXPR_OSF_TTL, - NFTNL_EXPR_OSF_FLAGS, -+ __NFTNL_EXPR_OSF_MAX - }; - - enum { -@@ -303,17 +338,20 @@ enum { - NFTNL_EXPR_XFRM_KEY, - NFTNL_EXPR_XFRM_DIR, - NFTNL_EXPR_XFRM_SPNUM, -+ __NFTNL_EXPR_XFRM_MAX - }; - - enum { - NFTNL_EXPR_SYNPROXY_MSS = NFTNL_EXPR_BASE, - NFTNL_EXPR_SYNPROXY_WSCALE, - NFTNL_EXPR_SYNPROXY_FLAGS, -+ __NFTNL_EXPR_SYNPROXY_MAX - }; - - enum { - NFTNL_EXPR_LAST_MSECS = NFTNL_EXPR_BASE, - NFTNL_EXPR_LAST_SET, -+ __NFTNL_EXPR_LAST_MAX - }; - - enum { -@@ -321,6 +359,7 @@ enum { - NFTNL_EXPR_INNER_FLAGS, - NFTNL_EXPR_INNER_HDRSIZE, - NFTNL_EXPR_INNER_EXPR, -+ __NFTNL_EXPR_INNER_MAX - }; - - #ifdef __cplusplus -diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c -index e5dba82..69efe1d 100644 ---- a/src/expr/bitwise.c -+++ b/src/expr/bitwise.c -@@ -271,7 +271,7 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size, - struct expr_ops expr_ops_bitwise = { - .name = "bitwise", - .alloc_len = sizeof(struct nftnl_expr_bitwise), -- .max_attr = NFTA_BITWISE_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1, - .set = nftnl_expr_bitwise_set, - .get = nftnl_expr_bitwise_get, - .parse = nftnl_expr_bitwise_parse, -diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c -index 89ed0a8..f05ae59 100644 ---- a/src/expr/byteorder.c -+++ b/src/expr/byteorder.c -@@ -215,7 +215,7 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_byteorder = { - .name = "byteorder", - .alloc_len = sizeof(struct nftnl_expr_byteorder), -- .max_attr = NFTA_BYTEORDER_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1, - .set = nftnl_expr_byteorder_set, - .get = nftnl_expr_byteorder_get, - .parse = nftnl_expr_byteorder_parse, -diff --git a/src/expr/cmp.c b/src/expr/cmp.c -index 1d396e8..40431fa 100644 ---- a/src/expr/cmp.c -+++ b/src/expr/cmp.c -@@ -195,7 +195,7 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_cmp = { - .name = "cmp", - .alloc_len = sizeof(struct nftnl_expr_cmp), -- .max_attr = NFTA_CMP_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1, - .set = nftnl_expr_cmp_set, - .get = nftnl_expr_cmp_get, - .parse = nftnl_expr_cmp_parse, -diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c -index 549417b..3b6c36c 100644 ---- a/src/expr/connlimit.c -+++ b/src/expr/connlimit.c -@@ -130,7 +130,7 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_connlimit = { - .name = "connlimit", - .alloc_len = sizeof(struct nftnl_expr_connlimit), -- .max_attr = NFTA_CONNLIMIT_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1, - .set = nftnl_expr_connlimit_set, - .get = nftnl_expr_connlimit_get, - .parse = nftnl_expr_connlimit_parse, -diff --git a/src/expr/counter.c b/src/expr/counter.c -index d139a5f..0595d50 100644 ---- a/src/expr/counter.c -+++ b/src/expr/counter.c -@@ -128,7 +128,7 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_counter = { - .name = "counter", - .alloc_len = sizeof(struct nftnl_expr_counter), -- .max_attr = NFTA_COUNTER_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1, - .set = nftnl_expr_counter_set, - .get = nftnl_expr_counter_get, - .parse = nftnl_expr_counter_parse, -diff --git a/src/expr/ct.c b/src/expr/ct.c -index f4a2aea..36b61fd 100644 ---- a/src/expr/ct.c -+++ b/src/expr/ct.c -@@ -253,7 +253,7 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_ct = { - .name = "ct", - .alloc_len = sizeof(struct nftnl_expr_ct), -- .max_attr = NFTA_CT_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1, - .set = nftnl_expr_ct_set, - .get = nftnl_expr_ct_get, - .parse = nftnl_expr_ct_parse, -diff --git a/src/expr/dup.c b/src/expr/dup.c -index a239ff3..33731cc 100644 ---- a/src/expr/dup.c -+++ b/src/expr/dup.c -@@ -133,7 +133,7 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_dup = { - .name = "dup", - .alloc_len = sizeof(struct nftnl_expr_dup), -- .max_attr = NFTA_DUP_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1, - .set = nftnl_expr_dup_set, - .get = nftnl_expr_dup_get, - .parse = nftnl_expr_dup_parse, -diff --git a/src/expr/dynset.c b/src/expr/dynset.c -index 5bcf1c6..ee6ce1e 100644 ---- a/src/expr/dynset.c -+++ b/src/expr/dynset.c -@@ -366,7 +366,7 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e) - struct expr_ops expr_ops_dynset = { - .name = "dynset", - .alloc_len = sizeof(struct nftnl_expr_dynset), -- .max_attr = NFTA_DYNSET_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1, - .init = nftnl_expr_dynset_init, - .free = nftnl_expr_dynset_free, - .set = nftnl_expr_dynset_set, -diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c -index 739c7ff..a1227a6 100644 ---- a/src/expr/exthdr.c -+++ b/src/expr/exthdr.c -@@ -262,7 +262,7 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_exthdr = { - .name = "exthdr", - .alloc_len = sizeof(struct nftnl_expr_exthdr), -- .max_attr = NFTA_EXTHDR_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1, - .set = nftnl_expr_exthdr_set, - .get = nftnl_expr_exthdr_get, - .parse = nftnl_expr_exthdr_parse, -diff --git a/src/expr/fib.c b/src/expr/fib.c -index 957f929..36637bd 100644 ---- a/src/expr/fib.c -+++ b/src/expr/fib.c -@@ -193,7 +193,7 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_fib = { - .name = "fib", - .alloc_len = sizeof(struct nftnl_expr_fib), -- .max_attr = NFTA_FIB_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1, - .set = nftnl_expr_fib_set, - .get = nftnl_expr_fib_get, - .parse = nftnl_expr_fib_parse, -diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c -index 4fc0563..f604712 100644 ---- a/src/expr/flow_offload.c -+++ b/src/expr/flow_offload.c -@@ -114,7 +114,7 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e) - struct expr_ops expr_ops_flow = { - .name = "flow_offload", - .alloc_len = sizeof(struct nftnl_expr_flow), -- .max_attr = NFTA_FLOW_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1, - .free = nftnl_expr_flow_free, - .set = nftnl_expr_flow_set, - .get = nftnl_expr_flow_get, -diff --git a/src/expr/fwd.c b/src/expr/fwd.c -index 51f6612..3aaf328 100644 ---- a/src/expr/fwd.c -+++ b/src/expr/fwd.c -@@ -153,7 +153,7 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_fwd = { - .name = "fwd", - .alloc_len = sizeof(struct nftnl_expr_fwd), -- .max_attr = NFTA_FWD_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1, - .set = nftnl_expr_fwd_set, - .get = nftnl_expr_fwd_get, - .parse = nftnl_expr_fwd_parse, -diff --git a/src/expr/hash.c b/src/expr/hash.c -index 6e2dd19..1fc72ec 100644 ---- a/src/expr/hash.c -+++ b/src/expr/hash.c -@@ -221,7 +221,7 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_hash = { - .name = "hash", - .alloc_len = sizeof(struct nftnl_expr_hash), -- .max_attr = NFTA_HASH_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1, - .set = nftnl_expr_hash_set, - .get = nftnl_expr_hash_get, - .parse = nftnl_expr_hash_parse, -diff --git a/src/expr/immediate.c b/src/expr/immediate.c -index f56aa8f..d60ca32 100644 ---- a/src/expr/immediate.c -+++ b/src/expr/immediate.c -@@ -221,7 +221,7 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e) - struct expr_ops expr_ops_immediate = { - .name = "immediate", - .alloc_len = sizeof(struct nftnl_expr_immediate), -- .max_attr = NFTA_IMMEDIATE_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1, - .free = nftnl_expr_immediate_free, - .set = nftnl_expr_immediate_set, - .get = nftnl_expr_immediate_get, -diff --git a/src/expr/inner.c b/src/expr/inner.c -index 7daae4f..cb6f607 100644 ---- a/src/expr/inner.c -+++ b/src/expr/inner.c -@@ -204,7 +204,7 @@ nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags, - struct expr_ops expr_ops_inner = { - .name = "inner", - .alloc_len = sizeof(struct nftnl_expr_inner), -- .max_attr = NFTA_INNER_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1, - .free = nftnl_expr_inner_free, - .set = nftnl_expr_inner_set, - .get = nftnl_expr_inner_get, -diff --git a/src/expr/last.c b/src/expr/last.c -index 641b713..273aaa1 100644 ---- a/src/expr/last.c -+++ b/src/expr/last.c -@@ -129,7 +129,7 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_last = { - .name = "last", - .alloc_len = sizeof(struct nftnl_expr_last), -- .max_attr = NFTA_LAST_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1, - .set = nftnl_expr_last_set, - .get = nftnl_expr_last_get, - .parse = nftnl_expr_last_parse, -diff --git a/src/expr/limit.c b/src/expr/limit.c -index 1870e0e..a1f9eac 100644 ---- a/src/expr/limit.c -+++ b/src/expr/limit.c -@@ -197,7 +197,7 @@ nftnl_expr_limit_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_limit = { - .name = "limit", - .alloc_len = sizeof(struct nftnl_expr_limit), -- .max_attr = NFTA_LIMIT_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1, - .set = nftnl_expr_limit_set, - .get = nftnl_expr_limit_get, - .parse = nftnl_expr_limit_parse, -diff --git a/src/expr/log.c b/src/expr/log.c -index 180d839..6df030d 100644 ---- a/src/expr/log.c -+++ b/src/expr/log.c -@@ -247,7 +247,7 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e) - struct expr_ops expr_ops_log = { - .name = "log", - .alloc_len = sizeof(struct nftnl_expr_log), -- .max_attr = NFTA_LOG_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1, - .free = nftnl_expr_log_free, - .set = nftnl_expr_log_set, - .get = nftnl_expr_log_get, -diff --git a/src/expr/lookup.c b/src/expr/lookup.c -index a06c338..8b23081 100644 ---- a/src/expr/lookup.c -+++ b/src/expr/lookup.c -@@ -200,7 +200,7 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e) - struct expr_ops expr_ops_lookup = { - .name = "lookup", - .alloc_len = sizeof(struct nftnl_expr_lookup), -- .max_attr = NFTA_LOOKUP_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1, - .free = nftnl_expr_lookup_free, - .set = nftnl_expr_lookup_set, - .get = nftnl_expr_lookup_get, -diff --git a/src/expr/masq.c b/src/expr/masq.c -index e6e528d..a103cc3 100644 ---- a/src/expr/masq.c -+++ b/src/expr/masq.c -@@ -158,7 +158,7 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_masq = { - .name = "masq", - .alloc_len = sizeof(struct nftnl_expr_masq), -- .max_attr = NFTA_MASQ_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1, - .set = nftnl_expr_masq_set, - .get = nftnl_expr_masq_get, - .parse = nftnl_expr_masq_parse, -diff --git a/src/expr/match.c b/src/expr/match.c -index f472add..eed85db 100644 ---- a/src/expr/match.c -+++ b/src/expr/match.c -@@ -183,7 +183,7 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e) - struct expr_ops expr_ops_match = { - .name = "match", - .alloc_len = sizeof(struct nftnl_expr_match), -- .max_attr = NFTA_MATCH_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1, - .free = nftnl_expr_match_free, - .set = nftnl_expr_match_set, - .get = nftnl_expr_match_get, -diff --git a/src/expr/meta.c b/src/expr/meta.c -index 183f441..f86fdff 100644 ---- a/src/expr/meta.c -+++ b/src/expr/meta.c -@@ -212,7 +212,7 @@ nftnl_expr_meta_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_meta = { - .name = "meta", - .alloc_len = sizeof(struct nftnl_expr_meta), -- .max_attr = NFTA_META_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1, - .set = nftnl_expr_meta_set, - .get = nftnl_expr_meta_get, - .parse = nftnl_expr_meta_parse, -diff --git a/src/expr/nat.c b/src/expr/nat.c -index ca727be..1d10bc1 100644 ---- a/src/expr/nat.c -+++ b/src/expr/nat.c -@@ -269,7 +269,7 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_nat = { - .name = "nat", - .alloc_len = sizeof(struct nftnl_expr_nat), -- .max_attr = NFTA_NAT_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1, - .set = nftnl_expr_nat_set, - .get = nftnl_expr_nat_get, - .parse = nftnl_expr_nat_parse, -diff --git a/src/expr/numgen.c b/src/expr/numgen.c -index d4020a6..3e83e05 100644 ---- a/src/expr/numgen.c -+++ b/src/expr/numgen.c -@@ -175,7 +175,7 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_ng = { - .name = "numgen", - .alloc_len = sizeof(struct nftnl_expr_ng), -- .max_attr = NFTA_NG_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1, - .set = nftnl_expr_ng_set, - .get = nftnl_expr_ng_get, - .parse = nftnl_expr_ng_parse, -diff --git a/src/expr/objref.c b/src/expr/objref.c -index ad0688f..e96bd69 100644 ---- a/src/expr/objref.c -+++ b/src/expr/objref.c -@@ -199,7 +199,7 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e) - struct expr_ops expr_ops_objref = { - .name = "objref", - .alloc_len = sizeof(struct nftnl_expr_objref), -- .max_attr = NFTA_OBJREF_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1, - .free = nftnl_expr_objref_free, - .set = nftnl_expr_objref_set, - .get = nftnl_expr_objref_get, -diff --git a/src/expr/osf.c b/src/expr/osf.c -index f15a722..3838af7 100644 ---- a/src/expr/osf.c -+++ b/src/expr/osf.c -@@ -142,7 +142,7 @@ nftnl_expr_osf_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_osf = { - .name = "osf", - .alloc_len = sizeof(struct nftnl_expr_osf), -- .max_attr = NFTA_OSF_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1, - .set = nftnl_expr_osf_set, - .get = nftnl_expr_osf_get, - .parse = nftnl_expr_osf_parse, -diff --git a/src/expr/payload.c b/src/expr/payload.c -index c633e33..f603662 100644 ---- a/src/expr/payload.c -+++ b/src/expr/payload.c -@@ -241,7 +241,7 @@ nftnl_expr_payload_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_payload = { - .name = "payload", - .alloc_len = sizeof(struct nftnl_expr_payload), -- .max_attr = NFTA_PAYLOAD_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1, - .set = nftnl_expr_payload_set, - .get = nftnl_expr_payload_get, - .parse = nftnl_expr_payload_parse, -diff --git a/src/expr/queue.c b/src/expr/queue.c -index de287f2..fba65d1 100644 ---- a/src/expr/queue.c -+++ b/src/expr/queue.c -@@ -188,7 +188,7 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_queue = { - .name = "queue", - .alloc_len = sizeof(struct nftnl_expr_queue), -- .max_attr = NFTA_QUEUE_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1, - .set = nftnl_expr_queue_set, - .get = nftnl_expr_queue_get, - .parse = nftnl_expr_queue_parse, -diff --git a/src/expr/quota.c b/src/expr/quota.c -index 835729c..d3923f3 100644 ---- a/src/expr/quota.c -+++ b/src/expr/quota.c -@@ -142,7 +142,7 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_quota = { - .name = "quota", - .alloc_len = sizeof(struct nftnl_expr_quota), -- .max_attr = NFTA_QUOTA_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1, - .set = nftnl_expr_quota_set, - .get = nftnl_expr_quota_get, - .parse = nftnl_expr_quota_parse, -diff --git a/src/expr/range.c b/src/expr/range.c -index 5a30e48..cb3708c 100644 ---- a/src/expr/range.c -+++ b/src/expr/range.c -@@ -204,7 +204,7 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_range = { - .name = "range", - .alloc_len = sizeof(struct nftnl_expr_range), -- .max_attr = NFTA_RANGE_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1, - .set = nftnl_expr_range_set, - .get = nftnl_expr_range_get, - .parse = nftnl_expr_range_parse, -diff --git a/src/expr/redir.c b/src/expr/redir.c -index 87c2acc..eca8bfe 100644 ---- a/src/expr/redir.c -+++ b/src/expr/redir.c -@@ -162,7 +162,7 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_redir = { - .name = "redir", - .alloc_len = sizeof(struct nftnl_expr_redir), -- .max_attr = NFTA_REDIR_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1, - .set = nftnl_expr_redir_set, - .get = nftnl_expr_redir_get, - .parse = nftnl_expr_redir_parse, -diff --git a/src/expr/reject.c b/src/expr/reject.c -index c7c9441..6b923ad 100644 ---- a/src/expr/reject.c -+++ b/src/expr/reject.c -@@ -129,7 +129,7 @@ nftnl_expr_reject_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_reject = { - .name = "reject", - .alloc_len = sizeof(struct nftnl_expr_reject), -- .max_attr = NFTA_REJECT_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1, - .set = nftnl_expr_reject_set, - .get = nftnl_expr_reject_get, - .parse = nftnl_expr_reject_parse, -diff --git a/src/expr/rt.c b/src/expr/rt.c -index 695a658..aaec430 100644 ---- a/src/expr/rt.c -+++ b/src/expr/rt.c -@@ -157,7 +157,7 @@ nftnl_expr_rt_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_rt = { - .name = "rt", - .alloc_len = sizeof(struct nftnl_expr_rt), -- .max_attr = NFTA_RT_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1, - .set = nftnl_expr_rt_set, - .get = nftnl_expr_rt_get, - .parse = nftnl_expr_rt_parse, -diff --git a/src/expr/socket.c b/src/expr/socket.c -index 83045c0..ef299c4 100644 ---- a/src/expr/socket.c -+++ b/src/expr/socket.c -@@ -160,7 +160,7 @@ nftnl_expr_socket_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_socket = { - .name = "socket", - .alloc_len = sizeof(struct nftnl_expr_socket), -- .max_attr = NFTA_SOCKET_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1, - .set = nftnl_expr_socket_set, - .get = nftnl_expr_socket_get, - .parse = nftnl_expr_socket_parse, -diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c -index 47fcaef..dc25962 100644 ---- a/src/expr/synproxy.c -+++ b/src/expr/synproxy.c -@@ -147,7 +147,7 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_synproxy = { - .name = "synproxy", - .alloc_len = sizeof(struct nftnl_expr_synproxy), -- .max_attr = NFTA_SYNPROXY_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1, - .set = nftnl_expr_synproxy_set, - .get = nftnl_expr_synproxy_get, - .parse = nftnl_expr_synproxy_parse, -diff --git a/src/expr/target.c b/src/expr/target.c -index 2a3fe8a..ebc48ba 100644 ---- a/src/expr/target.c -+++ b/src/expr/target.c -@@ -183,7 +183,7 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e) - struct expr_ops expr_ops_target = { - .name = "target", - .alloc_len = sizeof(struct nftnl_expr_target), -- .max_attr = NFTA_TARGET_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1, - .free = nftnl_expr_target_free, - .set = nftnl_expr_target_set, - .get = nftnl_expr_target_get, -diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c -index bd5ffbf..ac5419b 100644 ---- a/src/expr/tproxy.c -+++ b/src/expr/tproxy.c -@@ -165,7 +165,7 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_tproxy = { - .name = "tproxy", - .alloc_len = sizeof(struct nftnl_expr_tproxy), -- .max_attr = NFTA_TPROXY_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1, - .set = nftnl_expr_tproxy_set, - .get = nftnl_expr_tproxy_get, - .parse = nftnl_expr_tproxy_parse, -diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c -index a00f620..e381994 100644 ---- a/src/expr/tunnel.c -+++ b/src/expr/tunnel.c -@@ -140,7 +140,7 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len, - struct expr_ops expr_ops_tunnel = { - .name = "tunnel", - .alloc_len = sizeof(struct nftnl_expr_tunnel), -- .max_attr = NFTA_TUNNEL_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1, - .set = nftnl_expr_tunnel_set, - .get = nftnl_expr_tunnel_get, - .parse = nftnl_expr_tunnel_parse, -diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c -index 2db00d5..3f4cb0a 100644 ---- a/src/expr/xfrm.c -+++ b/src/expr/xfrm.c -@@ -191,7 +191,7 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain, - struct expr_ops expr_ops_xfrm = { - .name = "xfrm", - .alloc_len = sizeof(struct nftnl_expr_xfrm), -- .max_attr = NFTA_XFRM_MAX, -+ .nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1, - .set = nftnl_expr_xfrm_set, - .get = nftnl_expr_xfrm_get, - .parse = nftnl_expr_xfrm_parse, diff --git a/0008-expr-Call-expr_ops-set-with-legal-types-only.patch b/0008-expr-Call-expr_ops-set-with-legal-types-only.patch deleted file mode 100644 index 7634cd1..0000000 --- a/0008-expr-Call-expr_ops-set-with-legal-types-only.patch +++ /dev/null @@ -1,503 +0,0 @@ -From 3d5814d5b0a9344327509c9e3aa47ee067fe8a4d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] expr: Call expr_ops::set with legal types only - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 5029136028bff1747860ed770994b8f494c042fc - -commit 5029136028bff1747860ed770994b8f494c042fc -Author: Phil Sutter -Date: Wed Dec 13 23:49:53 2023 +0100 - - expr: Call expr_ops::set with legal types only - - Having the new expr_ops::nftnl_max_attr field in place, the valid range - of attribute type values is known now. Reject illegal ones upfront. - - Consequently drop the default case from callbacks' switches which handle - all supported attributes. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/expr.c | 3 +++ - src/expr/bitwise.c | 2 -- - src/expr/byteorder.c | 2 -- - src/expr/cmp.c | 2 -- - src/expr/connlimit.c | 2 -- - src/expr/counter.c | 2 -- - src/expr/ct.c | 2 -- - src/expr/dup.c | 2 -- - src/expr/exthdr.c | 2 -- - src/expr/fib.c | 2 -- - src/expr/flow_offload.c | 2 -- - src/expr/fwd.c | 2 -- - src/expr/immediate.c | 2 -- - src/expr/inner.c | 2 -- - src/expr/last.c | 2 -- - src/expr/limit.c | 2 -- - src/expr/log.c | 2 -- - src/expr/lookup.c | 2 -- - src/expr/masq.c | 2 -- - src/expr/match.c | 2 -- - src/expr/meta.c | 2 -- - src/expr/nat.c | 2 -- - src/expr/objref.c | 2 -- - src/expr/payload.c | 2 -- - src/expr/queue.c | 2 -- - src/expr/quota.c | 2 -- - src/expr/range.c | 2 -- - src/expr/redir.c | 2 -- - src/expr/reject.c | 2 -- - src/expr/rt.c | 2 -- - src/expr/socket.c | 2 -- - src/expr/target.c | 2 -- - src/expr/tproxy.c | 2 -- - src/expr/tunnel.c | 2 -- - 34 files changed, 3 insertions(+), 66 deletions(-) - -diff --git a/src/expr.c b/src/expr.c -index b4581f1..74d211b 100644 ---- a/src/expr.c -+++ b/src/expr.c -@@ -71,6 +71,9 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, - case NFTNL_EXPR_NAME: /* cannot be modified */ - return 0; - default: -+ if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr) -+ return -1; -+ - if (expr->ops->set(expr, type, data, data_len) < 0) - return -1; - } -diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c -index 69efe1d..e219d49 100644 ---- a/src/expr/bitwise.c -+++ b/src/expr/bitwise.c -@@ -56,8 +56,6 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type, - return nftnl_data_cpy(&bitwise->xor, data, data_len); - case NFTNL_EXPR_BITWISE_DATA: - return nftnl_data_cpy(&bitwise->data, data, data_len); -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c -index f05ae59..8c7661f 100644 ---- a/src/expr/byteorder.c -+++ b/src/expr/byteorder.c -@@ -51,8 +51,6 @@ nftnl_expr_byteorder_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_BYTEORDER_SIZE: - memcpy(&byteorder->size, data, sizeof(byteorder->size)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/cmp.c b/src/expr/cmp.c -index 40431fa..fe6f599 100644 ---- a/src/expr/cmp.c -+++ b/src/expr/cmp.c -@@ -43,8 +43,6 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type, - break; - case NFTNL_EXPR_CMP_DATA: - return nftnl_data_cpy(&cmp->data, data, data_len); -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c -index 3b6c36c..90613f2 100644 ---- a/src/expr/connlimit.c -+++ b/src/expr/connlimit.c -@@ -38,8 +38,6 @@ nftnl_expr_connlimit_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_CONNLIMIT_FLAGS: - memcpy(&connlimit->flags, data, sizeof(connlimit->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/counter.c b/src/expr/counter.c -index 0595d50..a003e24 100644 ---- a/src/expr/counter.c -+++ b/src/expr/counter.c -@@ -40,8 +40,6 @@ nftnl_expr_counter_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_CTR_PACKETS: - memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/ct.c b/src/expr/ct.c -index 36b61fd..197454e 100644 ---- a/src/expr/ct.c -+++ b/src/expr/ct.c -@@ -50,8 +50,6 @@ nftnl_expr_ct_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_CT_SREG: - memcpy(&ct->sreg, data, sizeof(ct->sreg)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/dup.c b/src/expr/dup.c -index 33731cc..20100ab 100644 ---- a/src/expr/dup.c -+++ b/src/expr/dup.c -@@ -37,8 +37,6 @@ static int nftnl_expr_dup_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_DUP_SREG_DEV: - memcpy(&dup->sreg_dev, data, sizeof(dup->sreg_dev)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c -index a1227a6..77ff7db 100644 ---- a/src/expr/exthdr.c -+++ b/src/expr/exthdr.c -@@ -66,8 +66,6 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_EXTHDR_SREG: - memcpy(&exthdr->sreg, data, sizeof(exthdr->sreg)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/fib.c b/src/expr/fib.c -index 36637bd..5d2303f 100644 ---- a/src/expr/fib.c -+++ b/src/expr/fib.c -@@ -43,8 +43,6 @@ nftnl_expr_fib_set(struct nftnl_expr *e, uint16_t result, - case NFTNL_EXPR_FIB_FLAGS: - memcpy(&fib->flags, data, sizeof(fib->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c -index f604712..9ab068d 100644 ---- a/src/expr/flow_offload.c -+++ b/src/expr/flow_offload.c -@@ -25,8 +25,6 @@ static int nftnl_expr_flow_set(struct nftnl_expr *e, uint16_t type, - if (!flow->table_name) - return -1; - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/fwd.c b/src/expr/fwd.c -index 3aaf328..bd1b1d8 100644 ---- a/src/expr/fwd.c -+++ b/src/expr/fwd.c -@@ -41,8 +41,6 @@ static int nftnl_expr_fwd_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_FWD_NFPROTO: - memcpy(&fwd->nfproto, data, sizeof(fwd->nfproto)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/immediate.c b/src/expr/immediate.c -index d60ca32..6ab8417 100644 ---- a/src/expr/immediate.c -+++ b/src/expr/immediate.c -@@ -51,8 +51,6 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_IMM_CHAIN_ID: - memcpy(&imm->data.chain_id, data, sizeof(uint32_t)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/inner.c b/src/expr/inner.c -index cb6f607..515f68d 100644 ---- a/src/expr/inner.c -+++ b/src/expr/inner.c -@@ -59,8 +59,6 @@ nftnl_expr_inner_set(struct nftnl_expr *e, uint16_t type, - - inner->expr = (void *)data; - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/last.c b/src/expr/last.c -index 273aaa1..8aa772c 100644 ---- a/src/expr/last.c -+++ b/src/expr/last.c -@@ -37,8 +37,6 @@ static int nftnl_expr_last_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_LAST_SET: - memcpy(&last->set, data, sizeof(last->set)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/limit.c b/src/expr/limit.c -index a1f9eac..355d46a 100644 ---- a/src/expr/limit.c -+++ b/src/expr/limit.c -@@ -52,8 +52,6 @@ nftnl_expr_limit_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_LIMIT_FLAGS: - memcpy(&limit->flags, data, sizeof(limit->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/log.c b/src/expr/log.c -index 6df030d..868da61 100644 ---- a/src/expr/log.c -+++ b/src/expr/log.c -@@ -60,8 +60,6 @@ static int nftnl_expr_log_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_LOG_FLAGS: - memcpy(&log->flags, data, sizeof(log->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/lookup.c b/src/expr/lookup.c -index 8b23081..ca58a38 100644 ---- a/src/expr/lookup.c -+++ b/src/expr/lookup.c -@@ -53,8 +53,6 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_LOOKUP_FLAGS: - memcpy(&lookup->flags, data, sizeof(lookup->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/masq.c b/src/expr/masq.c -index a103cc3..fa2f4af 100644 ---- a/src/expr/masq.c -+++ b/src/expr/masq.c -@@ -42,8 +42,6 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_MASQ_REG_PROTO_MAX: - memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/match.c b/src/expr/match.c -index eed85db..16e7367 100644 ---- a/src/expr/match.c -+++ b/src/expr/match.c -@@ -55,8 +55,6 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type, - mt->data = data; - mt->data_len = data_len; - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/meta.c b/src/expr/meta.c -index f86fdff..1db2c19 100644 ---- a/src/expr/meta.c -+++ b/src/expr/meta.c -@@ -47,8 +47,6 @@ nftnl_expr_meta_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_META_SREG: - memcpy(&meta->sreg, data, sizeof(meta->sreg)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/nat.c b/src/expr/nat.c -index 1d10bc1..724894a 100644 ---- a/src/expr/nat.c -+++ b/src/expr/nat.c -@@ -62,8 +62,6 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_NAT_FLAGS: - memcpy(&nat->flags, data, sizeof(nat->flags)); - break; -- default: -- return -1; - } - - return 0; -diff --git a/src/expr/objref.c b/src/expr/objref.c -index e96bd69..28cd2cc 100644 ---- a/src/expr/objref.c -+++ b/src/expr/objref.c -@@ -57,8 +57,6 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_OBJREF_SET_ID: - memcpy(&objref->set.id, data, sizeof(objref->set.id)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/payload.c b/src/expr/payload.c -index f603662..73cb188 100644 ---- a/src/expr/payload.c -+++ b/src/expr/payload.c -@@ -66,8 +66,6 @@ nftnl_expr_payload_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_PAYLOAD_FLAGS: - memcpy(&payload->csum_flags, data, sizeof(payload->csum_flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/queue.c b/src/expr/queue.c -index fba65d1..3343dd4 100644 ---- a/src/expr/queue.c -+++ b/src/expr/queue.c -@@ -45,8 +45,6 @@ static int nftnl_expr_queue_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_QUEUE_SREG_QNUM: - memcpy(&queue->sreg_qnum, data, sizeof(queue->sreg_qnum)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/quota.c b/src/expr/quota.c -index d3923f3..2a3a05a 100644 ---- a/src/expr/quota.c -+++ b/src/expr/quota.c -@@ -41,8 +41,6 @@ static int nftnl_expr_quota_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_QUOTA_FLAGS: - memcpy("a->flags, data, sizeof(quota->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/range.c b/src/expr/range.c -index cb3708c..d0c52b9 100644 ---- a/src/expr/range.c -+++ b/src/expr/range.c -@@ -43,8 +43,6 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type, - return nftnl_data_cpy(&range->data_from, data, data_len); - case NFTNL_EXPR_RANGE_TO_DATA: - return nftnl_data_cpy(&range->data_to, data, data_len); -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/redir.c b/src/expr/redir.c -index eca8bfe..a5a5e7d 100644 ---- a/src/expr/redir.c -+++ b/src/expr/redir.c -@@ -42,8 +42,6 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_REDIR_FLAGS: - memcpy(&redir->flags, data, sizeof(redir->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/reject.c b/src/expr/reject.c -index 6b923ad..8a0653d 100644 ---- a/src/expr/reject.c -+++ b/src/expr/reject.c -@@ -38,8 +38,6 @@ static int nftnl_expr_reject_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_REJECT_CODE: - memcpy(&reject->icmp_code, data, sizeof(reject->icmp_code)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/rt.c b/src/expr/rt.c -index aaec430..de2bd2f 100644 ---- a/src/expr/rt.c -+++ b/src/expr/rt.c -@@ -37,8 +37,6 @@ nftnl_expr_rt_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_RT_DREG: - memcpy(&rt->dreg, data, sizeof(rt->dreg)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/socket.c b/src/expr/socket.c -index ef299c4..9b6c3ea 100644 ---- a/src/expr/socket.c -+++ b/src/expr/socket.c -@@ -41,8 +41,6 @@ nftnl_expr_socket_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_SOCKET_LEVEL: - memcpy(&socket->level, data, sizeof(socket->level)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/target.c b/src/expr/target.c -index ebc48ba..cc0566c 100644 ---- a/src/expr/target.c -+++ b/src/expr/target.c -@@ -55,8 +55,6 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type, - tg->data = data; - tg->data_len = data_len; - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c -index ac5419b..c6ed888 100644 ---- a/src/expr/tproxy.c -+++ b/src/expr/tproxy.c -@@ -42,8 +42,6 @@ nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_TPROXY_REG_PORT: - memcpy(&tproxy->sreg_port, data, sizeof(tproxy->sreg_port)); - break; -- default: -- return -1; - } - - return 0; -diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c -index e381994..e59744b 100644 ---- a/src/expr/tunnel.c -+++ b/src/expr/tunnel.c -@@ -36,8 +36,6 @@ static int nftnl_expr_tunnel_set(struct nftnl_expr *e, uint16_t type, - case NFTNL_EXPR_TUNNEL_DREG: - memcpy(&tunnel->dreg, data, sizeof(tunnel->dreg)); - break; -- default: -- return -1; - } - return 0; - } diff --git a/0009-include-Sync-nf_log.h-with-kernel-headers.patch b/0009-include-Sync-nf_log.h-with-kernel-headers.patch deleted file mode 100644 index 9eb8ded..0000000 --- a/0009-include-Sync-nf_log.h-with-kernel-headers.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 705845a613139dd1d02a587478d8b7e93f16eecf Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] include: Sync nf_log.h with kernel headers - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 9da7658c6e25b02f7eeef936835469f4174cbfec - -commit 9da7658c6e25b02f7eeef936835469f4174cbfec -Author: Phil Sutter -Date: Fri Dec 15 16:15:35 2023 +0100 - - include: Sync nf_log.h with kernel headers - - Next patch needs NF_LOG_PREFIXLEN define. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/linux/netfilter/nf_log.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h -index 8be21e0..2ae0093 100644 ---- a/include/linux/netfilter/nf_log.h -+++ b/include/linux/netfilter/nf_log.h -@@ -1,3 +1,4 @@ -+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ - #ifndef _NETFILTER_NF_LOG_H - #define _NETFILTER_NF_LOG_H - -@@ -9,4 +10,6 @@ - #define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ - #define NF_LOG_MASK 0x2f - -+#define NF_LOG_PREFIXLEN 128 -+ - #endif /* _NETFILTER_NF_LOG_H */ diff --git a/0010-expr-Introduce-struct-expr_ops-attr_policy.patch b/0010-expr-Introduce-struct-expr_ops-attr_policy.patch deleted file mode 100644 index d607580..0000000 --- a/0010-expr-Introduce-struct-expr_ops-attr_policy.patch +++ /dev/null @@ -1,989 +0,0 @@ -From 5a8aad9370b54e09411853c4022a072c9b36f189 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] expr: Introduce struct expr_ops::attr_policy - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit cdde5a8c5a8734f2d540a0ab52c32d41d4d18127 - -commit cdde5a8c5a8734f2d540a0ab52c32d41d4d18127 -Author: Phil Sutter -Date: Fri Dec 15 16:30:52 2023 +0100 - - expr: Introduce struct expr_ops::attr_policy - - Similar to kernel's nla_policy, enable expressions to inform about - restrictions on attribute use. This allows the generic expression code - to perform sanity checks before dispatching to expression ops. - - For now, this holds only the maximum data len which may be passed to - nftnl_expr_set(). - - While one may debate whether accepting e.g. uint32_t for sreg/dreg - attributes is correct, it is necessary to not break nftables. - - Note that this introduces artificial restrictions on name lengths which - were caught by the kernel (if nftables didn't). - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/expr_ops.h | 5 +++++ - src/expr/bitwise.c | 11 +++++++++++ - src/expr/byteorder.c | 9 +++++++++ - src/expr/cmp.c | 7 +++++++ - src/expr/connlimit.c | 6 ++++++ - src/expr/counter.c | 6 ++++++ - src/expr/ct.c | 8 ++++++++ - src/expr/dup.c | 6 ++++++ - src/expr/dynset.c | 13 +++++++++++++ - src/expr/exthdr.c | 11 +++++++++++ - src/expr/fib.c | 7 +++++++ - src/expr/flow_offload.c | 5 +++++ - src/expr/fwd.c | 7 +++++++ - src/expr/hash.c | 11 +++++++++++ - src/expr/immediate.c | 9 +++++++++ - src/expr/inner.c | 8 ++++++++ - src/expr/last.c | 6 ++++++ - src/expr/limit.c | 9 +++++++++ - src/expr/log.c | 10 ++++++++++ - src/expr/lookup.c | 9 +++++++++ - src/expr/masq.c | 7 +++++++ - src/expr/match.c | 7 +++++++ - src/expr/meta.c | 7 +++++++ - src/expr/nat.c | 11 +++++++++++ - src/expr/numgen.c | 8 ++++++++ - src/expr/objref.c | 9 +++++++++ - src/expr/osf.c | 7 +++++++ - src/expr/payload.c | 12 ++++++++++++ - src/expr/queue.c | 8 ++++++++ - src/expr/quota.c | 7 +++++++ - src/expr/range.c | 8 ++++++++ - src/expr/redir.c | 7 +++++++ - src/expr/reject.c | 6 ++++++ - src/expr/rt.c | 6 ++++++ - src/expr/socket.c | 7 +++++++ - src/expr/synproxy.c | 7 +++++++ - src/expr/target.c | 7 +++++++ - src/expr/tproxy.c | 7 +++++++ - src/expr/tunnel.c | 6 ++++++ - src/expr/xfrm.c | 9 +++++++++ - 40 files changed, 316 insertions(+) - -diff --git a/include/expr_ops.h b/include/expr_ops.h -index 51b2214..6cfb3b5 100644 ---- a/include/expr_ops.h -+++ b/include/expr_ops.h -@@ -8,10 +8,15 @@ struct nlattr; - struct nlmsghdr; - struct nftnl_expr; - -+struct attr_policy { -+ uint32_t maxlen; -+}; -+ - struct expr_ops { - const char *name; - uint32_t alloc_len; - int nftnl_max_attr; -+ struct attr_policy *attr_policy; - void (*init)(const struct nftnl_expr *e); - void (*free)(const struct nftnl_expr *e); - int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len); -diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c -index e219d49..dab1690 100644 ---- a/src/expr/bitwise.c -+++ b/src/expr/bitwise.c -@@ -266,10 +266,21 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size, - return err; - } - -+static struct attr_policy bitwise_attr_policy[__NFTNL_EXPR_BITWISE_MAX] = { -+ [NFTNL_EXPR_BITWISE_SREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_BITWISE_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_BITWISE_LEN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_BITWISE_MASK] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, -+ [NFTNL_EXPR_BITWISE_XOR] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, -+ [NFTNL_EXPR_BITWISE_OP] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_BITWISE_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, -+}; -+ - struct expr_ops expr_ops_bitwise = { - .name = "bitwise", - .alloc_len = sizeof(struct nftnl_expr_bitwise), - .nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1, -+ .attr_policy = bitwise_attr_policy, - .set = nftnl_expr_bitwise_set, - .get = nftnl_expr_bitwise_get, - .parse = nftnl_expr_bitwise_parse, -diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c -index 8c7661f..d4e85a8 100644 ---- a/src/expr/byteorder.c -+++ b/src/expr/byteorder.c -@@ -210,10 +210,19 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy byteorder_attr_policy[__NFTNL_EXPR_BYTEORDER_MAX] = { -+ [NFTNL_EXPR_BYTEORDER_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_BYTEORDER_SREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_BYTEORDER_OP] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_BYTEORDER_LEN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_BYTEORDER_SIZE] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_byteorder = { - .name = "byteorder", - .alloc_len = sizeof(struct nftnl_expr_byteorder), - .nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1, -+ .attr_policy = byteorder_attr_policy, - .set = nftnl_expr_byteorder_set, - .get = nftnl_expr_byteorder_get, - .parse = nftnl_expr_byteorder_parse, -diff --git a/src/expr/cmp.c b/src/expr/cmp.c -index fe6f599..2937d7e 100644 ---- a/src/expr/cmp.c -+++ b/src/expr/cmp.c -@@ -190,10 +190,17 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy cmp_attr_policy[__NFTNL_EXPR_CMP_MAX] = { -+ [NFTNL_EXPR_CMP_SREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_CMP_OP] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_CMP_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN } -+}; -+ - struct expr_ops expr_ops_cmp = { - .name = "cmp", - .alloc_len = sizeof(struct nftnl_expr_cmp), - .nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1, -+ .attr_policy = cmp_attr_policy, - .set = nftnl_expr_cmp_set, - .get = nftnl_expr_cmp_get, - .parse = nftnl_expr_cmp_parse, -diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c -index 90613f2..1c78c71 100644 ---- a/src/expr/connlimit.c -+++ b/src/expr/connlimit.c -@@ -125,10 +125,16 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len, - connlimit->count, connlimit->flags); - } - -+static struct attr_policy connlimit_attr_policy[__NFTNL_EXPR_CONNLIMIT_MAX] = { -+ [NFTNL_EXPR_CONNLIMIT_COUNT] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_CONNLIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_connlimit = { - .name = "connlimit", - .alloc_len = sizeof(struct nftnl_expr_connlimit), - .nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1, -+ .attr_policy = connlimit_attr_policy, - .set = nftnl_expr_connlimit_set, - .get = nftnl_expr_connlimit_get, - .parse = nftnl_expr_connlimit_parse, -diff --git a/src/expr/counter.c b/src/expr/counter.c -index a003e24..2c6f2a7 100644 ---- a/src/expr/counter.c -+++ b/src/expr/counter.c -@@ -123,10 +123,16 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len, - ctr->pkts, ctr->bytes); - } - -+static struct attr_policy counter_attr_policy[__NFTNL_EXPR_CTR_MAX] = { -+ [NFTNL_EXPR_CTR_PACKETS] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_EXPR_CTR_BYTES] = { .maxlen = sizeof(uint64_t) }, -+}; -+ - struct expr_ops expr_ops_counter = { - .name = "counter", - .alloc_len = sizeof(struct nftnl_expr_counter), - .nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1, -+ .attr_policy = counter_attr_policy, - .set = nftnl_expr_counter_set, - .get = nftnl_expr_counter_get, - .parse = nftnl_expr_counter_parse, -diff --git a/src/expr/ct.c b/src/expr/ct.c -index 197454e..f7dd40d 100644 ---- a/src/expr/ct.c -+++ b/src/expr/ct.c -@@ -248,10 +248,18 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy ct_attr_policy[__NFTNL_EXPR_CT_MAX] = { -+ [NFTNL_EXPR_CT_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_CT_KEY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_CT_DIR] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_EXPR_CT_SREG] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_ct = { - .name = "ct", - .alloc_len = sizeof(struct nftnl_expr_ct), - .nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1, -+ .attr_policy = ct_attr_policy, - .set = nftnl_expr_ct_set, - .get = nftnl_expr_ct_get, - .parse = nftnl_expr_ct_parse, -diff --git a/src/expr/dup.c b/src/expr/dup.c -index 20100ab..6a5e4ca 100644 ---- a/src/expr/dup.c -+++ b/src/expr/dup.c -@@ -128,10 +128,16 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy dup_attr_policy[__NFTNL_EXPR_DUP_MAX] = { -+ [NFTNL_EXPR_DUP_SREG_ADDR] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_DUP_SREG_DEV] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_dup = { - .name = "dup", - .alloc_len = sizeof(struct nftnl_expr_dup), - .nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1, -+ .attr_policy = dup_attr_policy, - .set = nftnl_expr_dup_set, - .get = nftnl_expr_dup_get, - .parse = nftnl_expr_dup_parse, -diff --git a/src/expr/dynset.c b/src/expr/dynset.c -index ee6ce1e..c1f79b5 100644 ---- a/src/expr/dynset.c -+++ b/src/expr/dynset.c -@@ -363,10 +363,23 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e) - nftnl_expr_free(expr); - } - -+static struct attr_policy dynset_attr_policy[__NFTNL_EXPR_DYNSET_MAX] = { -+ [NFTNL_EXPR_DYNSET_SREG_KEY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_DYNSET_SREG_DATA] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_DYNSET_OP] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_DYNSET_TIMEOUT] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_EXPR_DYNSET_SET_NAME] = { .maxlen = NFT_SET_MAXNAMELEN }, -+ [NFTNL_EXPR_DYNSET_SET_ID] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_DYNSET_EXPR] = { .maxlen = 0 }, -+ [NFTNL_EXPR_DYNSET_EXPRESSIONS] = { .maxlen = 0 }, -+ [NFTNL_EXPR_DYNSET_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_dynset = { - .name = "dynset", - .alloc_len = sizeof(struct nftnl_expr_dynset), - .nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1, -+ .attr_policy = dynset_attr_policy, - .init = nftnl_expr_dynset_init, - .free = nftnl_expr_dynset_free, - .set = nftnl_expr_dynset_set, -diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c -index 77ff7db..93b7521 100644 ---- a/src/expr/exthdr.c -+++ b/src/expr/exthdr.c -@@ -257,10 +257,21 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len, - - } - -+static struct attr_policy exthdr_attr_policy[__NFTNL_EXPR_EXTHDR_MAX] = { -+ [NFTNL_EXPR_EXTHDR_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_EXTHDR_TYPE] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_EXPR_EXTHDR_OFFSET] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_EXTHDR_LEN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_EXTHDR_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_EXTHDR_OP] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_EXTHDR_SREG] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_exthdr = { - .name = "exthdr", - .alloc_len = sizeof(struct nftnl_expr_exthdr), - .nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1, -+ .attr_policy = exthdr_attr_policy, - .set = nftnl_expr_exthdr_set, - .get = nftnl_expr_exthdr_get, - .parse = nftnl_expr_exthdr_parse, -diff --git a/src/expr/fib.c b/src/expr/fib.c -index 5d2303f..5f7bef4 100644 ---- a/src/expr/fib.c -+++ b/src/expr/fib.c -@@ -188,10 +188,17 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy fib_attr_policy[__NFTNL_EXPR_FIB_MAX] = { -+ [NFTNL_EXPR_FIB_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_FIB_RESULT] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_FIB_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_fib = { - .name = "fib", - .alloc_len = sizeof(struct nftnl_expr_fib), - .nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1, -+ .attr_policy = fib_attr_policy, - .set = nftnl_expr_fib_set, - .get = nftnl_expr_fib_get, - .parse = nftnl_expr_fib_parse, -diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c -index 9ab068d..5f209a6 100644 ---- a/src/expr/flow_offload.c -+++ b/src/expr/flow_offload.c -@@ -109,10 +109,15 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e) - xfree(flow->table_name); - } - -+static struct attr_policy flow_offload_attr_policy[__NFTNL_EXPR_FLOW_MAX] = { -+ [NFTNL_EXPR_FLOW_TABLE_NAME] = { .maxlen = NFT_NAME_MAXLEN }, -+}; -+ - struct expr_ops expr_ops_flow = { - .name = "flow_offload", - .alloc_len = sizeof(struct nftnl_expr_flow), - .nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1, -+ .attr_policy = flow_offload_attr_policy, - .free = nftnl_expr_flow_free, - .set = nftnl_expr_flow_set, - .get = nftnl_expr_flow_get, -diff --git a/src/expr/fwd.c b/src/expr/fwd.c -index bd1b1d8..566d6f4 100644 ---- a/src/expr/fwd.c -+++ b/src/expr/fwd.c -@@ -148,10 +148,17 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy fwd_attr_policy[__NFTNL_EXPR_FWD_MAX] = { -+ [NFTNL_EXPR_FWD_SREG_DEV] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_FWD_SREG_ADDR] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_FWD_NFPROTO] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_fwd = { - .name = "fwd", - .alloc_len = sizeof(struct nftnl_expr_fwd), - .nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1, -+ .attr_policy = fwd_attr_policy, - .set = nftnl_expr_fwd_set, - .get = nftnl_expr_fwd_get, - .parse = nftnl_expr_fwd_parse, -diff --git a/src/expr/hash.c b/src/expr/hash.c -index 1fc72ec..4cd9006 100644 ---- a/src/expr/hash.c -+++ b/src/expr/hash.c -@@ -218,10 +218,21 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy hash_attr_policy[__NFTNL_EXPR_HASH_MAX] = { -+ [NFTNL_EXPR_HASH_SREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_HASH_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_HASH_LEN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_HASH_MODULUS] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_HASH_SEED] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_HASH_OFFSET] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_HASH_TYPE] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_hash = { - .name = "hash", - .alloc_len = sizeof(struct nftnl_expr_hash), - .nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1, -+ .attr_policy = hash_attr_policy, - .set = nftnl_expr_hash_set, - .get = nftnl_expr_hash_get, - .parse = nftnl_expr_hash_parse, -diff --git a/src/expr/immediate.c b/src/expr/immediate.c -index 6ab8417..8645ab3 100644 ---- a/src/expr/immediate.c -+++ b/src/expr/immediate.c -@@ -216,10 +216,19 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e) - nftnl_free_verdict(&imm->data); - } - -+static struct attr_policy immediate_attr_policy[__NFTNL_EXPR_IMM_MAX] = { -+ [NFTNL_EXPR_IMM_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_IMM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, -+ [NFTNL_EXPR_IMM_VERDICT] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_IMM_CHAIN] = { .maxlen = NFT_CHAIN_MAXNAMELEN }, -+ [NFTNL_EXPR_IMM_CHAIN_ID] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_immediate = { - .name = "immediate", - .alloc_len = sizeof(struct nftnl_expr_immediate), - .nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1, -+ .attr_policy = immediate_attr_policy, - .free = nftnl_expr_immediate_free, - .set = nftnl_expr_immediate_set, - .get = nftnl_expr_immediate_get, -diff --git a/src/expr/inner.c b/src/expr/inner.c -index 515f68d..45ef4fb 100644 ---- a/src/expr/inner.c -+++ b/src/expr/inner.c -@@ -199,10 +199,18 @@ nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags, - return offset; - } - -+static struct attr_policy inner_attr_policy[__NFTNL_EXPR_INNER_MAX] = { -+ [NFTNL_EXPR_INNER_TYPE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_INNER_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_INNER_HDRSIZE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_INNER_EXPR] = { .maxlen = 0 }, -+}; -+ - struct expr_ops expr_ops_inner = { - .name = "inner", - .alloc_len = sizeof(struct nftnl_expr_inner), - .nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1, -+ .attr_policy = inner_attr_policy, - .free = nftnl_expr_inner_free, - .set = nftnl_expr_inner_set, - .get = nftnl_expr_inner_get, -diff --git a/src/expr/last.c b/src/expr/last.c -index 8aa772c..074f463 100644 ---- a/src/expr/last.c -+++ b/src/expr/last.c -@@ -124,10 +124,16 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len, - return snprintf(buf, len, "%"PRIu64" ", last->msecs); - } - -+static struct attr_policy last_attr_policy[__NFTNL_EXPR_LAST_MAX] = { -+ [NFTNL_EXPR_LAST_MSECS] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_EXPR_LAST_SET] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_last = { - .name = "last", - .alloc_len = sizeof(struct nftnl_expr_last), - .nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1, -+ .attr_policy = last_attr_policy, - .set = nftnl_expr_last_set, - .get = nftnl_expr_last_get, - .parse = nftnl_expr_last_parse, -diff --git a/src/expr/limit.c b/src/expr/limit.c -index 355d46a..935d449 100644 ---- a/src/expr/limit.c -+++ b/src/expr/limit.c -@@ -192,10 +192,19 @@ nftnl_expr_limit_snprintf(char *buf, size_t len, - limit_to_type(limit->type), limit->flags); - } - -+static struct attr_policy limit_attr_policy[__NFTNL_EXPR_LIMIT_MAX] = { -+ [NFTNL_EXPR_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_EXPR_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_EXPR_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_limit = { - .name = "limit", - .alloc_len = sizeof(struct nftnl_expr_limit), - .nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1, -+ .attr_policy = limit_attr_policy, - .set = nftnl_expr_limit_set, - .get = nftnl_expr_limit_get, - .parse = nftnl_expr_limit_parse, -diff --git a/src/expr/log.c b/src/expr/log.c -index 868da61..d6d6910 100644 ---- a/src/expr/log.c -+++ b/src/expr/log.c -@@ -242,10 +242,20 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e) - xfree(log->prefix); - } - -+static struct attr_policy log_attr_policy[__NFTNL_EXPR_LOG_MAX] = { -+ [NFTNL_EXPR_LOG_PREFIX] = { .maxlen = NF_LOG_PREFIXLEN }, -+ [NFTNL_EXPR_LOG_GROUP] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_EXPR_LOG_SNAPLEN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_LOG_QTHRESHOLD] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_EXPR_LOG_LEVEL] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_LOG_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_log = { - .name = "log", - .alloc_len = sizeof(struct nftnl_expr_log), - .nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1, -+ .attr_policy = log_attr_policy, - .free = nftnl_expr_log_free, - .set = nftnl_expr_log_set, - .get = nftnl_expr_log_get, -diff --git a/src/expr/lookup.c b/src/expr/lookup.c -index ca58a38..be04528 100644 ---- a/src/expr/lookup.c -+++ b/src/expr/lookup.c -@@ -195,10 +195,19 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e) - xfree(lookup->set_name); - } - -+static struct attr_policy lookup_attr_policy[__NFTNL_EXPR_LOOKUP_MAX] = { -+ [NFTNL_EXPR_LOOKUP_SREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_LOOKUP_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_LOOKUP_SET] = { .maxlen = NFT_SET_MAXNAMELEN }, -+ [NFTNL_EXPR_LOOKUP_SET_ID] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_LOOKUP_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_lookup = { - .name = "lookup", - .alloc_len = sizeof(struct nftnl_expr_lookup), - .nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1, -+ .attr_policy = lookup_attr_policy, - .free = nftnl_expr_lookup_free, - .set = nftnl_expr_lookup_set, - .get = nftnl_expr_lookup_get, -diff --git a/src/expr/masq.c b/src/expr/masq.c -index fa2f4af..4be5a9c 100644 ---- a/src/expr/masq.c -+++ b/src/expr/masq.c -@@ -153,10 +153,17 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy masq_attr_policy[__NFTNL_EXPR_MASQ_MAX] = { -+ [NFTNL_EXPR_MASQ_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_MASQ_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_MASQ_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_masq = { - .name = "masq", - .alloc_len = sizeof(struct nftnl_expr_masq), - .nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1, -+ .attr_policy = masq_attr_policy, - .set = nftnl_expr_masq_set, - .get = nftnl_expr_masq_get, - .parse = nftnl_expr_masq_parse, -diff --git a/src/expr/match.c b/src/expr/match.c -index 16e7367..68288dc 100644 ---- a/src/expr/match.c -+++ b/src/expr/match.c -@@ -178,10 +178,17 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e) - xfree(match->data); - } - -+static struct attr_policy match_attr_policy[__NFTNL_EXPR_MT_MAX] = { -+ [NFTNL_EXPR_MT_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN }, -+ [NFTNL_EXPR_MT_REV] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_MT_INFO] = { .maxlen = 0 }, -+}; -+ - struct expr_ops expr_ops_match = { - .name = "match", - .alloc_len = sizeof(struct nftnl_expr_match), - .nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1, -+ .attr_policy = match_attr_policy, - .free = nftnl_expr_match_free, - .set = nftnl_expr_match_set, - .get = nftnl_expr_match_get, -diff --git a/src/expr/meta.c b/src/expr/meta.c -index 1db2c19..cd49c34 100644 ---- a/src/expr/meta.c -+++ b/src/expr/meta.c -@@ -207,10 +207,17 @@ nftnl_expr_meta_snprintf(char *buf, size_t len, - return 0; - } - -+static struct attr_policy meta_attr_policy[__NFTNL_EXPR_META_MAX] = { -+ [NFTNL_EXPR_META_KEY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_META_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_META_SREG] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_meta = { - .name = "meta", - .alloc_len = sizeof(struct nftnl_expr_meta), - .nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1, -+ .attr_policy = meta_attr_policy, - .set = nftnl_expr_meta_set, - .get = nftnl_expr_meta_get, - .parse = nftnl_expr_meta_parse, -diff --git a/src/expr/nat.c b/src/expr/nat.c -index 724894a..f3f8644 100644 ---- a/src/expr/nat.c -+++ b/src/expr/nat.c -@@ -264,10 +264,21 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy nat_attr_policy[__NFTNL_EXPR_NAT_MAX] = { -+ [NFTNL_EXPR_NAT_TYPE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NAT_FAMILY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NAT_REG_ADDR_MIN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NAT_REG_ADDR_MAX] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NAT_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NAT_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NAT_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_nat = { - .name = "nat", - .alloc_len = sizeof(struct nftnl_expr_nat), - .nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1, -+ .attr_policy = nat_attr_policy, - .set = nftnl_expr_nat_set, - .get = nftnl_expr_nat_get, - .parse = nftnl_expr_nat_parse, -diff --git a/src/expr/numgen.c b/src/expr/numgen.c -index 3e83e05..c5e8772 100644 ---- a/src/expr/numgen.c -+++ b/src/expr/numgen.c -@@ -172,10 +172,18 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy numgen_attr_policy[__NFTNL_EXPR_NG_MAX] = { -+ [NFTNL_EXPR_NG_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NG_MODULUS] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NG_TYPE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_NG_OFFSET] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_ng = { - .name = "numgen", - .alloc_len = sizeof(struct nftnl_expr_ng), - .nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1, -+ .attr_policy = numgen_attr_policy, - .set = nftnl_expr_ng_set, - .get = nftnl_expr_ng_get, - .parse = nftnl_expr_ng_parse, -diff --git a/src/expr/objref.c b/src/expr/objref.c -index 28cd2cc..59e1ddd 100644 ---- a/src/expr/objref.c -+++ b/src/expr/objref.c -@@ -194,10 +194,19 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e) - xfree(objref->set.name); - } - -+static struct attr_policy objref_attr_policy[__NFTNL_EXPR_OBJREF_MAX] = { -+ [NFTNL_EXPR_OBJREF_IMM_TYPE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_OBJREF_IMM_NAME] = { .maxlen = NFT_NAME_MAXLEN }, -+ [NFTNL_EXPR_OBJREF_SET_SREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_OBJREF_SET_NAME] = { .maxlen = NFT_NAME_MAXLEN }, -+ [NFTNL_EXPR_OBJREF_SET_ID] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_objref = { - .name = "objref", - .alloc_len = sizeof(struct nftnl_expr_objref), - .nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1, -+ .attr_policy = objref_attr_policy, - .free = nftnl_expr_objref_free, - .set = nftnl_expr_objref_set, - .get = nftnl_expr_objref_get, -diff --git a/src/expr/osf.c b/src/expr/osf.c -index 3838af7..1e4ceb0 100644 ---- a/src/expr/osf.c -+++ b/src/expr/osf.c -@@ -139,10 +139,17 @@ nftnl_expr_osf_snprintf(char *buf, size_t len, - return offset; - } - -+static struct attr_policy osf_attr_policy[__NFTNL_EXPR_OSF_MAX] = { -+ [NFTNL_EXPR_OSF_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_OSF_TTL] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_EXPR_OSF_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_osf = { - .name = "osf", - .alloc_len = sizeof(struct nftnl_expr_osf), - .nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1, -+ .attr_policy = osf_attr_policy, - .set = nftnl_expr_osf_set, - .get = nftnl_expr_osf_get, - .parse = nftnl_expr_osf_parse, -diff --git a/src/expr/payload.c b/src/expr/payload.c -index 73cb188..76d38f7 100644 ---- a/src/expr/payload.c -+++ b/src/expr/payload.c -@@ -236,10 +236,22 @@ nftnl_expr_payload_snprintf(char *buf, size_t len, - payload->offset, payload->dreg); - } - -+static struct attr_policy payload_attr_policy[__NFTNL_EXPR_PAYLOAD_MAX] = { -+ [NFTNL_EXPR_PAYLOAD_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_PAYLOAD_BASE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_PAYLOAD_OFFSET] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_PAYLOAD_LEN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_PAYLOAD_SREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_PAYLOAD_CSUM_TYPE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_PAYLOAD_CSUM_OFFSET] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_PAYLOAD_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_payload = { - .name = "payload", - .alloc_len = sizeof(struct nftnl_expr_payload), - .nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1, -+ .attr_policy = payload_attr_policy, - .set = nftnl_expr_payload_set, - .get = nftnl_expr_payload_get, - .parse = nftnl_expr_payload_parse, -diff --git a/src/expr/queue.c b/src/expr/queue.c -index 3343dd4..54792ef 100644 ---- a/src/expr/queue.c -+++ b/src/expr/queue.c -@@ -183,10 +183,18 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy queue_attr_policy[__NFTNL_EXPR_QUEUE_MAX] = { -+ [NFTNL_EXPR_QUEUE_NUM] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_EXPR_QUEUE_TOTAL] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_EXPR_QUEUE_FLAGS] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_EXPR_QUEUE_SREG_QNUM] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_queue = { - .name = "queue", - .alloc_len = sizeof(struct nftnl_expr_queue), - .nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1, -+ .attr_policy = queue_attr_policy, - .set = nftnl_expr_queue_set, - .get = nftnl_expr_queue_get, - .parse = nftnl_expr_queue_parse, -diff --git a/src/expr/quota.c b/src/expr/quota.c -index 2a3a05a..60631fe 100644 ---- a/src/expr/quota.c -+++ b/src/expr/quota.c -@@ -137,10 +137,17 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len, - quota->bytes, quota->consumed, quota->flags); - } - -+static struct attr_policy quota_attr_policy[__NFTNL_EXPR_QUOTA_MAX] = { -+ [NFTNL_EXPR_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_EXPR_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) }, -+}; -+ - struct expr_ops expr_ops_quota = { - .name = "quota", - .alloc_len = sizeof(struct nftnl_expr_quota), - .nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1, -+ .attr_policy = quota_attr_policy, - .set = nftnl_expr_quota_set, - .get = nftnl_expr_quota_get, - .parse = nftnl_expr_quota_parse, -diff --git a/src/expr/range.c b/src/expr/range.c -index d0c52b9..6310b79 100644 ---- a/src/expr/range.c -+++ b/src/expr/range.c -@@ -199,10 +199,18 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy range_attr_policy[__NFTNL_EXPR_RANGE_MAX] = { -+ [NFTNL_EXPR_RANGE_SREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_RANGE_OP] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_RANGE_FROM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, -+ [NFTNL_EXPR_RANGE_TO_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, -+}; -+ - struct expr_ops expr_ops_range = { - .name = "range", - .alloc_len = sizeof(struct nftnl_expr_range), - .nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1, -+ .attr_policy = range_attr_policy, - .set = nftnl_expr_range_set, - .get = nftnl_expr_range_get, - .parse = nftnl_expr_range_parse, -diff --git a/src/expr/redir.c b/src/expr/redir.c -index a5a5e7d..69095bd 100644 ---- a/src/expr/redir.c -+++ b/src/expr/redir.c -@@ -157,10 +157,17 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy redir_attr_policy[__NFTNL_EXPR_REDIR_MAX] = { -+ [NFTNL_EXPR_REDIR_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_REDIR_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_REDIR_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_redir = { - .name = "redir", - .alloc_len = sizeof(struct nftnl_expr_redir), - .nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1, -+ .attr_policy = redir_attr_policy, - .set = nftnl_expr_redir_set, - .get = nftnl_expr_redir_get, - .parse = nftnl_expr_redir_parse, -diff --git a/src/expr/reject.c b/src/expr/reject.c -index 8a0653d..f97011a 100644 ---- a/src/expr/reject.c -+++ b/src/expr/reject.c -@@ -124,10 +124,16 @@ nftnl_expr_reject_snprintf(char *buf, size_t len, - reject->type, reject->icmp_code); - } - -+static struct attr_policy reject_attr_policy[__NFTNL_EXPR_REJECT_MAX] = { -+ [NFTNL_EXPR_REJECT_TYPE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_REJECT_CODE] = { .maxlen = sizeof(uint8_t) }, -+}; -+ - struct expr_ops expr_ops_reject = { - .name = "reject", - .alloc_len = sizeof(struct nftnl_expr_reject), - .nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1, -+ .attr_policy = reject_attr_policy, - .set = nftnl_expr_reject_set, - .get = nftnl_expr_reject_get, - .parse = nftnl_expr_reject_parse, -diff --git a/src/expr/rt.c b/src/expr/rt.c -index de2bd2f..0ab2556 100644 ---- a/src/expr/rt.c -+++ b/src/expr/rt.c -@@ -152,10 +152,16 @@ nftnl_expr_rt_snprintf(char *buf, size_t len, - return 0; - } - -+static struct attr_policy rt_attr_policy[__NFTNL_EXPR_RT_MAX] = { -+ [NFTNL_EXPR_RT_KEY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_RT_DREG] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_rt = { - .name = "rt", - .alloc_len = sizeof(struct nftnl_expr_rt), - .nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1, -+ .attr_policy = rt_attr_policy, - .set = nftnl_expr_rt_set, - .get = nftnl_expr_rt_get, - .parse = nftnl_expr_rt_parse, -diff --git a/src/expr/socket.c b/src/expr/socket.c -index 9b6c3ea..d0d8e23 100644 ---- a/src/expr/socket.c -+++ b/src/expr/socket.c -@@ -155,10 +155,17 @@ nftnl_expr_socket_snprintf(char *buf, size_t len, - return 0; - } - -+static struct attr_policy socket_attr_policy[__NFTNL_EXPR_SOCKET_MAX] = { -+ [NFTNL_EXPR_SOCKET_KEY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_SOCKET_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_SOCKET_LEVEL] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_socket = { - .name = "socket", - .alloc_len = sizeof(struct nftnl_expr_socket), - .nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1, -+ .attr_policy = socket_attr_policy, - .set = nftnl_expr_socket_set, - .get = nftnl_expr_socket_get, - .parse = nftnl_expr_socket_parse, -diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c -index dc25962..898d292 100644 ---- a/src/expr/synproxy.c -+++ b/src/expr/synproxy.c -@@ -144,10 +144,17 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len, - return offset; - } - -+static struct attr_policy synproxy_attr_policy[__NFTNL_EXPR_SYNPROXY_MAX] = { -+ [NFTNL_EXPR_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_EXPR_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_EXPR_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_synproxy = { - .name = "synproxy", - .alloc_len = sizeof(struct nftnl_expr_synproxy), - .nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1, -+ .attr_policy = synproxy_attr_policy, - .set = nftnl_expr_synproxy_set, - .get = nftnl_expr_synproxy_get, - .parse = nftnl_expr_synproxy_parse, -diff --git a/src/expr/target.c b/src/expr/target.c -index cc0566c..9bfd25b 100644 ---- a/src/expr/target.c -+++ b/src/expr/target.c -@@ -178,10 +178,17 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e) - xfree(target->data); - } - -+static struct attr_policy target_attr_policy[__NFTNL_EXPR_TG_MAX] = { -+ [NFTNL_EXPR_TG_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN }, -+ [NFTNL_EXPR_TG_REV] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_TG_INFO] = { .maxlen = 0 }, -+}; -+ - struct expr_ops expr_ops_target = { - .name = "target", - .alloc_len = sizeof(struct nftnl_expr_target), - .nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1, -+ .attr_policy = target_attr_policy, - .free = nftnl_expr_target_free, - .set = nftnl_expr_target_set, - .get = nftnl_expr_target_get, -diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c -index c6ed888..4948392 100644 ---- a/src/expr/tproxy.c -+++ b/src/expr/tproxy.c -@@ -160,10 +160,17 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy tproxy_attr_policy[__NFTNL_EXPR_TPROXY_MAX] = { -+ [NFTNL_EXPR_TPROXY_FAMILY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_TPROXY_REG_ADDR] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_TPROXY_REG_PORT] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_tproxy = { - .name = "tproxy", - .alloc_len = sizeof(struct nftnl_expr_tproxy), - .nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1, -+ .attr_policy = tproxy_attr_policy, - .set = nftnl_expr_tproxy_set, - .get = nftnl_expr_tproxy_get, - .parse = nftnl_expr_tproxy_parse, -diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c -index e59744b..8089d0b 100644 ---- a/src/expr/tunnel.c -+++ b/src/expr/tunnel.c -@@ -135,10 +135,16 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len, - return 0; - } - -+static struct attr_policy tunnel_attr_policy[__NFTNL_EXPR_TUNNEL_MAX] = { -+ [NFTNL_EXPR_TUNNEL_KEY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_TUNNEL_DREG] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_tunnel = { - .name = "tunnel", - .alloc_len = sizeof(struct nftnl_expr_tunnel), - .nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1, -+ .attr_policy = tunnel_attr_policy, - .set = nftnl_expr_tunnel_set, - .get = nftnl_expr_tunnel_get, - .parse = nftnl_expr_tunnel_parse, -diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c -index 3f4cb0a..dc867a2 100644 ---- a/src/expr/xfrm.c -+++ b/src/expr/xfrm.c -@@ -188,10 +188,19 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy xfrm_attr_policy[__NFTNL_EXPR_XFRM_MAX] = { -+ [NFTNL_EXPR_XFRM_DREG] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_XFRM_SREG] = { .maxlen = 0 }, -+ [NFTNL_EXPR_XFRM_KEY] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_EXPR_XFRM_DIR] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_EXPR_XFRM_SPNUM] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct expr_ops expr_ops_xfrm = { - .name = "xfrm", - .alloc_len = sizeof(struct nftnl_expr_xfrm), - .nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1, -+ .attr_policy = xfrm_attr_policy, - .set = nftnl_expr_xfrm_set, - .get = nftnl_expr_xfrm_get, - .parse = nftnl_expr_xfrm_parse, diff --git a/0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch b/0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch deleted file mode 100644 index 6d1175f..0000000 --- a/0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 244e36b93c9271e3dc9d4bbce5fa395f1db7e376 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] expr: Enforce attr_policy compliance in nftnl_expr_set() - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 62db596bf1f3dabffac3e0b9b0c3db487bfff828 - -commit 62db596bf1f3dabffac3e0b9b0c3db487bfff828 -Author: Phil Sutter -Date: Fri Dec 15 16:32:30 2023 +0100 - - expr: Enforce attr_policy compliance in nftnl_expr_set() - - Every expression type defines an attr_policy array, so deny setting - attributes if not present. Also deny if maxlen field is non-zero and - lower than the given data_len. - - Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO ) - or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero - maxlen "nop" is also used for deprecated attributes, just to not - silently ignore them. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/expr.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/expr.c b/src/expr.c -index 74d211b..4e32189 100644 ---- a/src/expr.c -+++ b/src/expr.c -@@ -74,6 +74,13 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, - if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr) - return -1; - -+ if (!expr->ops->attr_policy) -+ return -1; -+ -+ if (expr->ops->attr_policy[type].maxlen && -+ expr->ops->attr_policy[type].maxlen < data_len) -+ return -1; -+ - if (expr->ops->set(expr, type, data, data_len) < 0) - return -1; - } diff --git a/0012-chain-Validate-NFTNL_CHAIN_USE-too.patch b/0012-chain-Validate-NFTNL_CHAIN_USE-too.patch deleted file mode 100644 index 30e1267..0000000 --- a/0012-chain-Validate-NFTNL_CHAIN_USE-too.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d1ee302a2805a06e1d016a2f6c6c856df5c925b2 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] chain: Validate NFTNL_CHAIN_USE, too - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 104b83489d96642752e774c59e54e816dee85f26 - -commit 104b83489d96642752e774c59e54e816dee85f26 -Author: Phil Sutter -Date: Thu Mar 14 17:22:14 2024 +0100 - - chain: Validate NFTNL_CHAIN_USE, too - - Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/chain.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/chain.c b/src/chain.c -index dcfcd04..e0b1eaf 100644 ---- a/src/chain.c -+++ b/src/chain.c -@@ -196,6 +196,7 @@ static uint32_t nftnl_chain_validate[NFTNL_CHAIN_MAX + 1] = { - [NFTNL_CHAIN_HOOKNUM] = sizeof(uint32_t), - [NFTNL_CHAIN_PRIO] = sizeof(int32_t), - [NFTNL_CHAIN_POLICY] = sizeof(uint32_t), -+ [NFTNL_CHAIN_USE] = sizeof(uint32_t), - [NFTNL_CHAIN_BYTES] = sizeof(uint64_t), - [NFTNL_CHAIN_PACKETS] = sizeof(uint64_t), - [NFTNL_CHAIN_HANDLE] = sizeof(uint64_t), diff --git a/0013-table-Validate-NFTNL_TABLE_USE-too.patch b/0013-table-Validate-NFTNL_TABLE_USE-too.patch deleted file mode 100644 index 33d536c..0000000 --- a/0013-table-Validate-NFTNL_TABLE_USE-too.patch +++ /dev/null @@ -1,34 +0,0 @@ -From aff3c03195ad34f4bc8d59ab031cd3ad5ba18f1b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] table: Validate NFTNL_TABLE_USE, too - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 8d3ed0716c619213916140e1ea42945f5202ea5c - -commit 8d3ed0716c619213916140e1ea42945f5202ea5c -Author: Phil Sutter -Date: Thu Mar 14 17:25:05 2024 +0100 - - table: Validate NFTNL_TABLE_USE, too - - Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/table.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/table.c b/src/table.c -index 59e7053..4a439ff 100644 ---- a/src/table.c -+++ b/src/table.c -@@ -88,6 +88,7 @@ static uint32_t nftnl_table_validate[NFTNL_TABLE_MAX + 1] = { - [NFTNL_TABLE_FLAGS] = sizeof(uint32_t), - [NFTNL_TABLE_FAMILY] = sizeof(uint32_t), - [NFTNL_TABLE_HANDLE] = sizeof(uint64_t), -+ [NFTNL_TABLE_USE] = sizeof(uint32_t), - }; - - EXPORT_SYMBOL(nftnl_table_set_data); diff --git a/0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch b/0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch deleted file mode 100644 index 4a82770..0000000 --- a/0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e0cfd83bb9e083dcb81cb1b94f8b5de5c5eb5a4d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] flowtable: Validate NFTNL_FLOWTABLE_SIZE, too - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit b8a502b359221c6fb9c35618550364e2ebf116fb - -commit b8a502b359221c6fb9c35618550364e2ebf116fb -Author: Phil Sutter -Date: Thu Mar 14 17:26:33 2024 +0100 - - flowtable: Validate NFTNL_FLOWTABLE_SIZE, too - - Fixes: cdaea7f1ced05 ("flowtable: allow to specify size") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/flowtable.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/flowtable.c b/src/flowtable.c -index e6c2475..2f37cd4 100644 ---- a/src/flowtable.c -+++ b/src/flowtable.c -@@ -102,6 +102,7 @@ static uint32_t nftnl_flowtable_validate[NFTNL_FLOWTABLE_MAX + 1] = { - [NFTNL_FLOWTABLE_HOOKNUM] = sizeof(uint32_t), - [NFTNL_FLOWTABLE_PRIO] = sizeof(int32_t), - [NFTNL_FLOWTABLE_FAMILY] = sizeof(uint32_t), -+ [NFTNL_FLOWTABLE_SIZE] = sizeof(uint32_t), - [NFTNL_FLOWTABLE_FLAGS] = sizeof(uint32_t), - [NFTNL_FLOWTABLE_HANDLE] = sizeof(uint64_t), - }; diff --git a/0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch b/0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch deleted file mode 100644 index cf55633..0000000 --- a/0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 5aca5c8f50c96303530bc7e3fdd16e20a683e1eb Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] obj: Validate NFTNL_OBJ_TYPE, too - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 899920d66b7b2a11c381a95a65b059ff12b9afd6 - -commit 899920d66b7b2a11c381a95a65b059ff12b9afd6 -Author: Phil Sutter -Date: Thu Mar 14 17:28:15 2024 +0100 - - obj: Validate NFTNL_OBJ_TYPE, too - - Fixes: 5573d0146c1ae ("src: support for stateful objects") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/object.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/object.c b/src/object.c -index 232b97a..f498138 100644 ---- a/src/object.c -+++ b/src/object.c -@@ -70,6 +70,7 @@ bool nftnl_obj_is_set(const struct nftnl_obj *obj, uint16_t attr) - } - - static uint32_t nftnl_obj_validate[NFTNL_OBJ_MAX + 1] = { -+ [NFTNL_OBJ_TYPE] = sizeof(uint32_t), - [NFTNL_OBJ_FAMILY] = sizeof(uint32_t), - [NFTNL_OBJ_USE] = sizeof(uint32_t), - [NFTNL_OBJ_HANDLE] = sizeof(uint64_t), diff --git a/0016-set-Validate-NFTNL_SET_ID-too.patch b/0016-set-Validate-NFTNL_SET_ID-too.patch deleted file mode 100644 index 44c8b4d..0000000 --- a/0016-set-Validate-NFTNL_SET_ID-too.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 5825541216d49668aa7d19fdffc4f5519e2f5ff0 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] set: Validate NFTNL_SET_ID, too - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit a9b4d07dfab235324d2efbaa242fcc5ed5efe4c1 - -commit a9b4d07dfab235324d2efbaa242fcc5ed5efe4c1 -Author: Phil Sutter -Date: Thu Mar 14 17:29:51 2024 +0100 - - set: Validate NFTNL_SET_ID, too - - Fixes: 26298a9ffc2e2 ("set: add set ID support") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/set.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/set.c b/src/set.c -index b51ff9e..a732bc0 100644 ---- a/src/set.c -+++ b/src/set.c -@@ -128,6 +128,7 @@ static uint32_t nftnl_set_validate[NFTNL_SET_MAX + 1] = { - [NFTNL_SET_DATA_LEN] = sizeof(uint32_t), - [NFTNL_SET_OBJ_TYPE] = sizeof(uint32_t), - [NFTNL_SET_FAMILY] = sizeof(uint32_t), -+ [NFTNL_SET_ID] = sizeof(uint32_t), - [NFTNL_SET_POLICY] = sizeof(uint32_t), - [NFTNL_SET_DESC_SIZE] = sizeof(uint32_t), - [NFTNL_SET_TIMEOUT] = sizeof(uint64_t), diff --git a/0017-table-Validate-NFTNL_TABLE_OWNER-too.patch b/0017-table-Validate-NFTNL_TABLE_OWNER-too.patch deleted file mode 100644 index 540495c..0000000 --- a/0017-table-Validate-NFTNL_TABLE_OWNER-too.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 63318c4320c8ad0670409cbabc7e97b05f85add4 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] table: Validate NFTNL_TABLE_OWNER, too - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 08c9cab3352402c1a7d7952d1a2ce0a051f48b14 - -commit 08c9cab3352402c1a7d7952d1a2ce0a051f48b14 -Author: Phil Sutter -Date: Thu Mar 14 17:30:30 2024 +0100 - - table: Validate NFTNL_TABLE_OWNER, too - - Fixes: 985955fe41f53 ("table: add table owner support") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/table.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/table.c b/src/table.c -index 4a439ff..4f48e8c 100644 ---- a/src/table.c -+++ b/src/table.c -@@ -89,6 +89,7 @@ static uint32_t nftnl_table_validate[NFTNL_TABLE_MAX + 1] = { - [NFTNL_TABLE_FAMILY] = sizeof(uint32_t), - [NFTNL_TABLE_HANDLE] = sizeof(uint64_t), - [NFTNL_TABLE_USE] = sizeof(uint32_t), -+ [NFTNL_TABLE_OWNER] = sizeof(uint32_t), - }; - - EXPORT_SYMBOL(nftnl_table_set_data); diff --git a/0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch b/0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch deleted file mode 100644 index bfa34a3..0000000 --- a/0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch +++ /dev/null @@ -1,38 +0,0 @@ -From eaa75e076e56224f0d3946a65565a3f72503f091 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] obj: Do not call nftnl_obj_set_data() with zero data_len - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit a113d1ffb6405407d98430807f3534e64a71837e - -commit a113d1ffb6405407d98430807f3534e64a71837e -Author: Phil Sutter -Date: Thu Mar 14 16:44:34 2024 +0100 - - obj: Do not call nftnl_obj_set_data() with zero data_len - - Pass 'strlen() + 1' as length parameter when setting string attributes, - just like other string setters do. - - Fixes: 5573d0146c1ae ("src: support for stateful objects") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/object.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/object.c b/src/object.c -index f498138..e94236e 100644 ---- a/src/object.c -+++ b/src/object.c -@@ -157,7 +157,7 @@ void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) - EXPORT_SYMBOL(nftnl_obj_set_str); - void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) - { -- nftnl_obj_set_data(obj, attr, str, 0); -+ nftnl_obj_set_data(obj, attr, str, strlen(str) + 1); - } - - EXPORT_SYMBOL(nftnl_obj_get_data); diff --git a/0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch b/0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch deleted file mode 100644 index d7c25c2..0000000 --- a/0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 1b3d689b39b1a43038c8872d80154ae1554304ca Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] obj: synproxy: Use memcpy() to handle potentially unaligned - data - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 721fe5702591d94b6dde1a2cc368986fb70626a8 - -commit 721fe5702591d94b6dde1a2cc368986fb70626a8 -Author: Phil Sutter -Date: Thu Mar 7 14:16:05 2024 +0100 - - obj: synproxy: Use memcpy() to handle potentially unaligned data - - Analogous to commit dc240913458d5 ("src: Use memcpy() to handle - potentially unaligned data"). - - Fixes: 609a13fc2999e ("src: synproxy stateful object support") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/obj/synproxy.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c -index baef5c2..4ef97ec 100644 ---- a/src/obj/synproxy.c -+++ b/src/obj/synproxy.c -@@ -19,13 +19,13 @@ static int nftnl_obj_synproxy_set(struct nftnl_obj *e, uint16_t type, - - switch (type) { - case NFTNL_OBJ_SYNPROXY_MSS: -- synproxy->mss = *((uint16_t *)data); -+ memcpy(&synproxy->mss, data, data_len); - break; - case NFTNL_OBJ_SYNPROXY_WSCALE: -- synproxy->wscale = *((uint8_t *)data); -+ memcpy(&synproxy->wscale, data, data_len); - break; - case NFTNL_OBJ_SYNPROXY_FLAGS: -- synproxy->flags = *((uint32_t *)data); -+ memcpy(&synproxy->flags, data, data_len); - break; - default: - return -1; diff --git a/0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch b/0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch deleted file mode 100644 index f1f74c3..0000000 --- a/0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c0bdff70b2188ee6ab9375333cdaac39abfaeb8c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] utils: Fix for wrong variable use in nftnl_assert_validate() - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 8b9b16b3658ed035523156198798b5f29c808c78 - -commit 8b9b16b3658ed035523156198798b5f29c808c78 -Author: Phil Sutter -Date: Thu Mar 7 13:59:00 2024 +0100 - - utils: Fix for wrong variable use in nftnl_assert_validate() - - This worked by accident as all callers passed a local variable 'attr' as - parameter '_attr'. - - Fixes: 7756d31990cd4 ("src: add assertion infrastructure to validate attribute types") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/utils.h | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/include/utils.h b/include/utils.h -index 8af5a8e..ca12d25 100644 ---- a/include/utils.h -+++ b/include/utils.h -@@ -37,9 +37,9 @@ void __nftnl_assert_fail(uint16_t attr, const char *filename, int line); - #define nftnl_assert_validate(data, _validate_array, _attr, _data_len) \ - ({ \ - if (!data) \ -- __nftnl_assert_fail(attr, __FILE__, __LINE__); \ -+ __nftnl_assert_fail(_attr, __FILE__, __LINE__); \ - if (_validate_array[_attr]) \ -- nftnl_assert(data, attr, _validate_array[_attr] == _data_len); \ -+ nftnl_assert(data, _attr, _validate_array[_attr] == _data_len); \ - }) - - void __nftnl_assert_attr_exists(uint16_t attr, uint16_t attr_max, -@@ -98,4 +98,7 @@ int nftnl_fprintf(FILE *fpconst, const void *obj, uint32_t cmd, uint32_t type, - uint32_t cmd, uint32_t type, - uint32_t flags)); - -+int nftnl_set_str_attr(const char **dptr, uint32_t *flags, -+ uint16_t attr, const void *data, uint32_t data_len); -+ - #endif diff --git a/0021-object-getters-take-const-struct.patch b/0021-object-getters-take-const-struct.patch deleted file mode 100644 index b73f1b1..0000000 --- a/0021-object-getters-take-const-struct.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 85918467438e340b81386b9cc709ba6e88ff860b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:40 +0200 -Subject: [PATCH] object: getters take const struct - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit ff117f50d2f99c03a65b4952b1a6988a8adc700f - -commit ff117f50d2f99c03a65b4952b1a6988a8adc700f -Author: corubba -Date: Sat Dec 9 23:03:01 2023 +0100 - - object: getters take const struct - - As with all the other entities (like table or set), the getter functions - for objects now take a `const struct nftnl_obj*` as first parameter. - The getters for all specific object types (like counter or limit), which - are called in the default switch-case, already do. - - Signed-off-by: corubba - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - include/libnftnl/object.h | 14 +++++++------- - src/object.c | 14 +++++++------- - 2 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h -index 9bd83a5..4b2d90f 100644 ---- a/include/libnftnl/object.h -+++ b/include/libnftnl/object.h -@@ -131,14 +131,14 @@ void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); - void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); - void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); - void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); --const void *nftnl_obj_get_data(struct nftnl_obj *ne, uint16_t attr, -+const void *nftnl_obj_get_data(const struct nftnl_obj *ne, uint16_t attr, - uint32_t *data_len); --const void *nftnl_obj_get(struct nftnl_obj *ne, uint16_t attr); --uint8_t nftnl_obj_get_u8(struct nftnl_obj *ne, uint16_t attr); --uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr); --uint32_t nftnl_obj_get_u32(struct nftnl_obj *ne, uint16_t attr); --uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr); --const char *nftnl_obj_get_str(struct nftnl_obj *ne, uint16_t attr); -+const void *nftnl_obj_get(const struct nftnl_obj *ne, uint16_t attr); -+uint8_t nftnl_obj_get_u8(const struct nftnl_obj *ne, uint16_t attr); -+uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr); -+uint32_t nftnl_obj_get_u32(const struct nftnl_obj *ne, uint16_t attr); -+uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr); -+const char *nftnl_obj_get_str(const struct nftnl_obj *ne, uint16_t attr); - - void nftnl_obj_nlmsg_build_payload(struct nlmsghdr *nlh, - const struct nftnl_obj *ne); -diff --git a/src/object.c b/src/object.c -index e94236e..a1a00d8 100644 ---- a/src/object.c -+++ b/src/object.c -@@ -161,7 +161,7 @@ void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) - } - - EXPORT_SYMBOL(nftnl_obj_get_data); --const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, -+const void *nftnl_obj_get_data(const struct nftnl_obj *obj, uint16_t attr, - uint32_t *data_len) - { - if (!(obj->flags & (1 << attr))) -@@ -199,42 +199,42 @@ const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, - } - - EXPORT_SYMBOL(nftnl_obj_get); --const void *nftnl_obj_get(struct nftnl_obj *obj, uint16_t attr) -+const void *nftnl_obj_get(const struct nftnl_obj *obj, uint16_t attr) - { - uint32_t data_len; - return nftnl_obj_get_data(obj, attr, &data_len); - } - - EXPORT_SYMBOL(nftnl_obj_get_u8); --uint8_t nftnl_obj_get_u8(struct nftnl_obj *obj, uint16_t attr) -+uint8_t nftnl_obj_get_u8(const struct nftnl_obj *obj, uint16_t attr) - { - const void *ret = nftnl_obj_get(obj, attr); - return ret == NULL ? 0 : *((uint8_t *)ret); - } - - EXPORT_SYMBOL(nftnl_obj_get_u16); --uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr) -+uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr) - { - const void *ret = nftnl_obj_get(obj, attr); - return ret == NULL ? 0 : *((uint16_t *)ret); - } - - EXPORT_SYMBOL(nftnl_obj_get_u32); --uint32_t nftnl_obj_get_u32(struct nftnl_obj *obj, uint16_t attr) -+uint32_t nftnl_obj_get_u32(const struct nftnl_obj *obj, uint16_t attr) - { - const void *ret = nftnl_obj_get(obj, attr); - return ret == NULL ? 0 : *((uint32_t *)ret); - } - - EXPORT_SYMBOL(nftnl_obj_get_u64); --uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr) -+uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr) - { - const void *ret = nftnl_obj_get(obj, attr); - return ret == NULL ? 0 : *((uint64_t *)ret); - } - - EXPORT_SYMBOL(nftnl_obj_get_str); --const char *nftnl_obj_get_str(struct nftnl_obj *obj, uint16_t attr) -+const char *nftnl_obj_get_str(const struct nftnl_obj *obj, uint16_t attr) - { - return nftnl_obj_get(obj, attr); - } diff --git a/0022-obj-Return-value-on-setters.patch b/0022-obj-Return-value-on-setters.patch deleted file mode 100644 index c5bd886..0000000 --- a/0022-obj-Return-value-on-setters.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 7275fc782f822451b2cba5414037e1b0a1a59bf5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:41 +0200 -Subject: [PATCH] obj: Return value on setters - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 691f90223712426a2babdb55d7e5526b7310ca6e - -commit 691f90223712426a2babdb55d7e5526b7310ca6e -Author: Phil Sutter -Date: Thu Mar 14 16:54:55 2024 +0100 - - obj: Return value on setters - - Similar to other setters, let callers know if memory allocation fails. - Though return value with all setters, as all of them may be used to set - object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE - was not set before). - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/libnftnl/object.h | 14 ++++++------- - src/object.c | 41 +++++++++++++++++++++++---------------- - 2 files changed, 31 insertions(+), 24 deletions(-) - -diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h -index 4b2d90f..e235fdf 100644 ---- a/include/libnftnl/object.h -+++ b/include/libnftnl/object.h -@@ -123,14 +123,14 @@ void nftnl_obj_free(const struct nftnl_obj *ne); - - bool nftnl_obj_is_set(const struct nftnl_obj *ne, uint16_t attr); - void nftnl_obj_unset(struct nftnl_obj *ne, uint16_t attr); --void nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data, -- uint32_t data_len); -+int nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data, -+ uint32_t data_len); - void nftnl_obj_set(struct nftnl_obj *ne, uint16_t attr, const void *data) __attribute__((deprecated)); --void nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val); --void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); --void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); --void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); --void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); -+int nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val); -+int nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); -+int nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); -+int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); -+int nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); - const void *nftnl_obj_get_data(const struct nftnl_obj *ne, uint16_t attr, - uint32_t *data_len); - const void *nftnl_obj_get(const struct nftnl_obj *ne, uint16_t attr); -diff --git a/src/object.c b/src/object.c -index a1a00d8..30e5ee8 100644 ---- a/src/object.c -+++ b/src/object.c -@@ -77,8 +77,8 @@ static uint32_t nftnl_obj_validate[NFTNL_OBJ_MAX + 1] = { - }; - - EXPORT_SYMBOL(nftnl_obj_set_data); --void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, -- const void *data, uint32_t data_len) -+int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, -+ const void *data, uint32_t data_len) - { - if (attr < NFTNL_OBJ_MAX) - nftnl_assert_validate(data, nftnl_obj_validate, attr, data_len); -@@ -87,15 +87,19 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, - case NFTNL_OBJ_TABLE: - xfree(obj->table); - obj->table = strdup(data); -+ if (!obj->table) -+ return -1; - break; - case NFTNL_OBJ_NAME: - xfree(obj->name); - obj->name = strdup(data); -+ if (!obj->name) -+ return -1; - break; - case NFTNL_OBJ_TYPE: - obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data)); - if (!obj->ops) -- return; -+ return -1; - break; - case NFTNL_OBJ_FAMILY: - memcpy(&obj->family, data, sizeof(obj->family)); -@@ -112,16 +116,19 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, - - obj->user.data = malloc(data_len); - if (!obj->user.data) -- return; -+ return -1; - memcpy(obj->user.data, data, data_len); - obj->user.len = data_len; - break; - default: -- if (obj->ops) -- obj->ops->set(obj, attr, data, data_len); -- break; -+ if (!obj->ops) -+ return -1; -+ -+ if (obj->ops->set(obj, attr, data, data_len) < 0) -+ return -1; - } - obj->flags |= (1 << attr); -+ return 0; - } - - void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) __visible; -@@ -131,33 +138,33 @@ void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) - } - - EXPORT_SYMBOL(nftnl_obj_set_u8); --void nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val) -+int nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val) - { -- nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t)); -+ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t)); - } - - EXPORT_SYMBOL(nftnl_obj_set_u16); --void nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val) -+int nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val) - { -- nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t)); -+ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t)); - } - - EXPORT_SYMBOL(nftnl_obj_set_u32); --void nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val) -+int nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val) - { -- nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t)); -+ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t)); - } - - EXPORT_SYMBOL(nftnl_obj_set_u64); --void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) -+int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) - { -- nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t)); -+ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t)); - } - - EXPORT_SYMBOL(nftnl_obj_set_str); --void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) -+int nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) - { -- nftnl_obj_set_data(obj, attr, str, strlen(str) + 1); -+ return nftnl_obj_set_data(obj, attr, str, strlen(str) + 1); - } - - EXPORT_SYMBOL(nftnl_obj_get_data); diff --git a/0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch b/0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch deleted file mode 100644 index 0b31e82..0000000 --- a/0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch +++ /dev/null @@ -1,234 +0,0 @@ -From 4a180882136a860773c86c507805ef01eb757dd8 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:41 +0200 -Subject: [PATCH] obj: Repurpose struct obj_ops::max_attr field - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit df4e259c0537fff58ecdc7b3ec1546fb2da93968 - -commit df4e259c0537fff58ecdc7b3ec1546fb2da93968 -Author: Phil Sutter -Date: Thu Mar 7 13:15:22 2024 +0100 - - obj: Repurpose struct obj_ops::max_attr field - - Just like with struct expr_ops::max_attr, make it hold the maximum - object attribute (NFTNL_OBJ_*) value supported by this object type. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/libnftnl/object.h | 9 +++++++++ - include/obj.h | 2 +- - src/obj/counter.c | 2 +- - src/obj/ct_expect.c | 2 +- - src/obj/ct_helper.c | 2 +- - src/obj/ct_timeout.c | 2 +- - src/obj/limit.c | 2 +- - src/obj/quota.c | 2 +- - src/obj/secmark.c | 2 +- - src/obj/synproxy.c | 2 +- - src/obj/tunnel.c | 2 +- - 11 files changed, 19 insertions(+), 10 deletions(-) - -diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h -index e235fdf..9930355 100644 ---- a/include/libnftnl/object.h -+++ b/include/libnftnl/object.h -@@ -28,18 +28,21 @@ enum { - enum { - NFTNL_OBJ_CTR_PKTS = NFTNL_OBJ_BASE, - NFTNL_OBJ_CTR_BYTES, -+ __NFTNL_OBJ_CTR_MAX, - }; - - enum { - NFTNL_OBJ_QUOTA_BYTES = NFTNL_OBJ_BASE, - NFTNL_OBJ_QUOTA_CONSUMED, - NFTNL_OBJ_QUOTA_FLAGS, -+ __NFTNL_OBJ_QUOTA_MAX, - }; - - enum { - NFTNL_OBJ_CT_HELPER_NAME = NFTNL_OBJ_BASE, - NFTNL_OBJ_CT_HELPER_L3PROTO, - NFTNL_OBJ_CT_HELPER_L4PROTO, -+ __NFTNL_OBJ_CT_HELPER_MAX, - }; - - enum nftnl_cttimeout_array_tcp { -@@ -69,6 +72,7 @@ enum { - NFTNL_OBJ_CT_TIMEOUT_L3PROTO = NFTNL_OBJ_BASE, - NFTNL_OBJ_CT_TIMEOUT_L4PROTO, - NFTNL_OBJ_CT_TIMEOUT_ARRAY, -+ __NFTNL_OBJ_CT_TIMEOUT_MAX, - }; - - enum { -@@ -77,6 +81,7 @@ enum { - NFTNL_OBJ_CT_EXPECT_DPORT, - NFTNL_OBJ_CT_EXPECT_TIMEOUT, - NFTNL_OBJ_CT_EXPECT_SIZE, -+ __NFTNL_OBJ_CT_EXPECT_MAX, - }; - - enum { -@@ -85,12 +90,14 @@ enum { - NFTNL_OBJ_LIMIT_BURST, - NFTNL_OBJ_LIMIT_TYPE, - NFTNL_OBJ_LIMIT_FLAGS, -+ __NFTNL_OBJ_LIMIT_MAX, - }; - - enum { - NFTNL_OBJ_SYNPROXY_MSS = NFTNL_OBJ_BASE, - NFTNL_OBJ_SYNPROXY_WSCALE, - NFTNL_OBJ_SYNPROXY_FLAGS, -+ __NFTNL_OBJ_SYNPROXY_MAX, - }; - - enum { -@@ -110,10 +117,12 @@ enum { - NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX, - NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID, - NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR, -+ __NFTNL_OBJ_TUNNEL_MAX, - }; - - enum { - NFTNL_OBJ_SECMARK_CTX = NFTNL_OBJ_BASE, -+ __NFTNL_OBJ_SECMARK_MAX, - }; - - struct nftnl_obj; -diff --git a/include/obj.h b/include/obj.h -index d848ac9..6d2af8d 100644 ---- a/include/obj.h -+++ b/include/obj.h -@@ -104,7 +104,7 @@ struct obj_ops { - const char *name; - uint32_t type; - size_t alloc_len; -- int max_attr; -+ int nftnl_max_attr; - int (*set)(struct nftnl_obj *e, uint16_t type, const void *data, uint32_t data_len); - const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len); - int (*parse)(struct nftnl_obj *e, struct nlattr *attr); -diff --git a/src/obj/counter.c b/src/obj/counter.c -index ebf3e74..76a1b20 100644 ---- a/src/obj/counter.c -+++ b/src/obj/counter.c -@@ -122,7 +122,7 @@ struct obj_ops obj_ops_counter = { - .name = "counter", - .type = NFT_OBJECT_COUNTER, - .alloc_len = sizeof(struct nftnl_obj_counter), -- .max_attr = NFTA_COUNTER_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_CTR_MAX - 1, - .set = nftnl_obj_counter_set, - .get = nftnl_obj_counter_get, - .parse = nftnl_obj_counter_parse, -diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c -index 810ba9a..7e9c5e1 100644 ---- a/src/obj/ct_expect.c -+++ b/src/obj/ct_expect.c -@@ -191,7 +191,7 @@ struct obj_ops obj_ops_ct_expect = { - .name = "ct_expect", - .type = NFT_OBJECT_CT_EXPECT, - .alloc_len = sizeof(struct nftnl_obj_ct_expect), -- .max_attr = NFTA_CT_EXPECT_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_CT_EXPECT_MAX - 1, - .set = nftnl_obj_ct_expect_set, - .get = nftnl_obj_ct_expect_get, - .parse = nftnl_obj_ct_expect_parse, -diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c -index a31bd6f..f8aa734 100644 ---- a/src/obj/ct_helper.c -+++ b/src/obj/ct_helper.c -@@ -145,7 +145,7 @@ struct obj_ops obj_ops_ct_helper = { - .name = "ct_helper", - .type = NFT_OBJECT_CT_HELPER, - .alloc_len = sizeof(struct nftnl_obj_ct_helper), -- .max_attr = NFTA_CT_HELPER_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_CT_HELPER_MAX - 1, - .set = nftnl_obj_ct_helper_set, - .get = nftnl_obj_ct_helper_get, - .parse = nftnl_obj_ct_helper_parse, -diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c -index fedf9e3..ee86231 100644 ---- a/src/obj/ct_timeout.c -+++ b/src/obj/ct_timeout.c -@@ -314,7 +314,7 @@ struct obj_ops obj_ops_ct_timeout = { - .name = "ct_timeout", - .type = NFT_OBJECT_CT_TIMEOUT, - .alloc_len = sizeof(struct nftnl_obj_ct_timeout), -- .max_attr = NFTA_CT_TIMEOUT_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_CT_TIMEOUT_MAX - 1, - .set = nftnl_obj_ct_timeout_set, - .get = nftnl_obj_ct_timeout_get, - .parse = nftnl_obj_ct_timeout_parse, -diff --git a/src/obj/limit.c b/src/obj/limit.c -index d7b1aed..1c54bbc 100644 ---- a/src/obj/limit.c -+++ b/src/obj/limit.c -@@ -163,7 +163,7 @@ struct obj_ops obj_ops_limit = { - .name = "limit", - .type = NFT_OBJECT_LIMIT, - .alloc_len = sizeof(struct nftnl_obj_limit), -- .max_attr = NFTA_LIMIT_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_LIMIT_MAX - 1, - .set = nftnl_obj_limit_set, - .get = nftnl_obj_limit_get, - .parse = nftnl_obj_limit_parse, -diff --git a/src/obj/quota.c b/src/obj/quota.c -index 6c7559a..a39d552 100644 ---- a/src/obj/quota.c -+++ b/src/obj/quota.c -@@ -139,7 +139,7 @@ struct obj_ops obj_ops_quota = { - .name = "quota", - .type = NFT_OBJECT_QUOTA, - .alloc_len = sizeof(struct nftnl_obj_quota), -- .max_attr = NFTA_QUOTA_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_QUOTA_MAX - 1, - .set = nftnl_obj_quota_set, - .get = nftnl_obj_quota_get, - .parse = nftnl_obj_quota_parse, -diff --git a/src/obj/secmark.c b/src/obj/secmark.c -index e5c24b3..c78e35f 100644 ---- a/src/obj/secmark.c -+++ b/src/obj/secmark.c -@@ -111,7 +111,7 @@ struct obj_ops obj_ops_secmark = { - .name = "secmark", - .type = NFT_OBJECT_SECMARK, - .alloc_len = sizeof(struct nftnl_obj_secmark), -- .max_attr = NFTA_SECMARK_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_SECMARK_MAX - 1, - .set = nftnl_obj_secmark_set, - .get = nftnl_obj_secmark_get, - .parse = nftnl_obj_secmark_parse, -diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c -index 4ef97ec..d259a51 100644 ---- a/src/obj/synproxy.c -+++ b/src/obj/synproxy.c -@@ -138,7 +138,7 @@ struct obj_ops obj_ops_synproxy = { - .name = "synproxy", - .type = NFT_OBJECT_SYNPROXY, - .alloc_len = sizeof(struct nftnl_obj_synproxy), -- .max_attr = NFTA_SYNPROXY_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_SYNPROXY_MAX - 1, - .set = nftnl_obj_synproxy_set, - .get = nftnl_obj_synproxy_get, - .parse = nftnl_obj_synproxy_parse, -diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c -index d2503dc..19a3639 100644 ---- a/src/obj/tunnel.c -+++ b/src/obj/tunnel.c -@@ -542,7 +542,7 @@ struct obj_ops obj_ops_tunnel = { - .name = "tunnel", - .type = NFT_OBJECT_TUNNEL, - .alloc_len = sizeof(struct nftnl_obj_tunnel), -- .max_attr = NFTA_TUNNEL_KEY_MAX, -+ .nftnl_max_attr = __NFTNL_OBJ_TUNNEL_MAX - 1, - .set = nftnl_obj_tunnel_set, - .get = nftnl_obj_tunnel_get, - .parse = nftnl_obj_tunnel_parse, diff --git a/0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch b/0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch deleted file mode 100644 index 5dbb98d..0000000 --- a/0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 0203ccf90e6f8a246a5a071e903ab0d89acf2bad Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:41 +0200 -Subject: [PATCH] obj: Call obj_ops::set with legal attributes only - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 410c245e4811d7888daa456547af58d93d1c63b4 - -commit 410c245e4811d7888daa456547af58d93d1c63b4 -Author: Phil Sutter -Date: Thu Mar 7 13:25:31 2024 +0100 - - obj: Call obj_ops::set with legal attributes only - - Refer to obj_ops::nftnl_max_attr field value for the maximum supported - attribute value to reject invalid ones upfront. - - Consequently drop default cases from callbacks' switches which handle - all supported attributes. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/obj/counter.c | 2 -- - src/obj/ct_expect.c | 2 -- - src/obj/ct_helper.c | 2 -- - src/obj/ct_timeout.c | 2 -- - src/obj/limit.c | 2 -- - src/obj/quota.c | 2 -- - src/obj/secmark.c | 2 -- - src/obj/synproxy.c | 2 -- - src/obj/tunnel.c | 2 -- - src/object.c | 4 +++- - 10 files changed, 3 insertions(+), 19 deletions(-) - -diff --git a/src/obj/counter.c b/src/obj/counter.c -index 76a1b20..982da2c 100644 ---- a/src/obj/counter.c -+++ b/src/obj/counter.c -@@ -34,8 +34,6 @@ nftnl_obj_counter_set(struct nftnl_obj *e, uint16_t type, - case NFTNL_OBJ_CTR_PKTS: - memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c -index 7e9c5e1..60014dc 100644 ---- a/src/obj/ct_expect.c -+++ b/src/obj/ct_expect.c -@@ -35,8 +35,6 @@ static int nftnl_obj_ct_expect_set(struct nftnl_obj *e, uint16_t type, - case NFTNL_OBJ_CT_EXPECT_SIZE: - memcpy(&exp->size, data, sizeof(exp->size)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c -index f8aa734..b8b05fd 100644 ---- a/src/obj/ct_helper.c -+++ b/src/obj/ct_helper.c -@@ -37,8 +37,6 @@ static int nftnl_obj_ct_helper_set(struct nftnl_obj *e, uint16_t type, - case NFTNL_OBJ_CT_HELPER_L4PROTO: - memcpy(&helper->l4proto, data, sizeof(helper->l4proto)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c -index ee86231..011d928 100644 ---- a/src/obj/ct_timeout.c -+++ b/src/obj/ct_timeout.c -@@ -162,8 +162,6 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type, - memcpy(timeout->timeout, data, - sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/obj/limit.c b/src/obj/limit.c -index 1c54bbc..83cb193 100644 ---- a/src/obj/limit.c -+++ b/src/obj/limit.c -@@ -42,8 +42,6 @@ static int nftnl_obj_limit_set(struct nftnl_obj *e, uint16_t type, - case NFTNL_OBJ_LIMIT_FLAGS: - memcpy(&limit->flags, data, sizeof(limit->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/obj/quota.c b/src/obj/quota.c -index a39d552..665d7ca 100644 ---- a/src/obj/quota.c -+++ b/src/obj/quota.c -@@ -36,8 +36,6 @@ static int nftnl_obj_quota_set(struct nftnl_obj *e, uint16_t type, - case NFTNL_OBJ_QUOTA_FLAGS: - memcpy("a->flags, data, sizeof(quota->flags)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/obj/secmark.c b/src/obj/secmark.c -index c78e35f..83cd1dc 100644 ---- a/src/obj/secmark.c -+++ b/src/obj/secmark.c -@@ -30,8 +30,6 @@ static int nftnl_obj_secmark_set(struct nftnl_obj *e, uint16_t type, - case NFTNL_OBJ_SECMARK_CTX: - snprintf(secmark->ctx, sizeof(secmark->ctx), "%s", (const char *)data); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c -index d259a51..f7c7762 100644 ---- a/src/obj/synproxy.c -+++ b/src/obj/synproxy.c -@@ -27,8 +27,6 @@ static int nftnl_obj_synproxy_set(struct nftnl_obj *e, uint16_t type, - case NFTNL_OBJ_SYNPROXY_FLAGS: - memcpy(&synproxy->flags, data, data_len); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c -index 19a3639..72985ee 100644 ---- a/src/obj/tunnel.c -+++ b/src/obj/tunnel.c -@@ -76,8 +76,6 @@ nftnl_obj_tunnel_set(struct nftnl_obj *e, uint16_t type, - case NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR: - memcpy(&tun->u.tun_erspan.u.v2.dir, data, sizeof(tun->u.tun_erspan.u.v2.dir)); - break; -- default: -- return -1; - } - return 0; - } -diff --git a/src/object.c b/src/object.c -index 30e5ee8..52a184e 100644 ---- a/src/object.c -+++ b/src/object.c -@@ -121,7 +121,9 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, - obj->user.len = data_len; - break; - default: -- if (!obj->ops) -+ if (!obj->ops || -+ attr < NFTNL_OBJ_BASE || -+ attr > obj->ops->nftnl_max_attr) - return -1; - - if (obj->ops->set(obj, attr, data, data_len) < 0) diff --git a/0025-obj-Introduce-struct-obj_ops-attr_policy.patch b/0025-obj-Introduce-struct-obj_ops-attr_policy.patch deleted file mode 100644 index 72c9453..0000000 --- a/0025-obj-Introduce-struct-obj_ops-attr_policy.patch +++ /dev/null @@ -1,272 +0,0 @@ -From 569a847a23ba79cf67570fc44569cdb3c816f027 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:41 +0200 -Subject: [PATCH] obj: Introduce struct obj_ops::attr_policy - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit f8348db87791bb8061b7f9ecf856e835ab74d006 - -commit f8348db87791bb8061b7f9ecf856e835ab74d006 -Author: Phil Sutter -Date: Thu Mar 7 13:46:26 2024 +0100 - - obj: Introduce struct obj_ops::attr_policy - - Just like with struct expr_ops::attr_policy, enable object types to - inform about restrictions on attribute use. This way generic object code - may perform sanity checks before dispatching to object ops. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/obj.h | 1 + - src/obj/counter.c | 6 ++++++ - src/obj/ct_expect.c | 10 ++++++++++ - src/obj/ct_helper.c | 11 +++++++++++ - src/obj/ct_timeout.c | 7 +++++++ - src/obj/limit.c | 9 +++++++++ - src/obj/quota.c | 7 +++++++ - src/obj/secmark.c | 5 +++++ - src/obj/synproxy.c | 7 +++++++ - src/obj/tunnel.c | 20 ++++++++++++++++++++ - 10 files changed, 83 insertions(+) - -diff --git a/include/obj.h b/include/obj.h -index 6d2af8d..d217737 100644 ---- a/include/obj.h -+++ b/include/obj.h -@@ -105,6 +105,7 @@ struct obj_ops { - uint32_t type; - size_t alloc_len; - int nftnl_max_attr; -+ struct attr_policy *attr_policy; - int (*set)(struct nftnl_obj *e, uint16_t type, const void *data, uint32_t data_len); - const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len); - int (*parse)(struct nftnl_obj *e, struct nlattr *attr); -diff --git a/src/obj/counter.c b/src/obj/counter.c -index 982da2c..44524d7 100644 ---- a/src/obj/counter.c -+++ b/src/obj/counter.c -@@ -116,11 +116,17 @@ static int nftnl_obj_counter_snprintf(char *buf, size_t len, uint32_t flags, - ctr->pkts, ctr->bytes); - } - -+static struct attr_policy obj_ctr_attr_policy[__NFTNL_OBJ_CTR_MAX] = { -+ [NFTNL_OBJ_CTR_BYTES] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_OBJ_CTR_PKTS] = { .maxlen = sizeof(uint64_t) }, -+}; -+ - struct obj_ops obj_ops_counter = { - .name = "counter", - .type = NFT_OBJECT_COUNTER, - .alloc_len = sizeof(struct nftnl_obj_counter), - .nftnl_max_attr = __NFTNL_OBJ_CTR_MAX - 1, -+ .attr_policy = obj_ctr_attr_policy, - .set = nftnl_obj_counter_set, - .get = nftnl_obj_counter_get, - .parse = nftnl_obj_counter_parse, -diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c -index 60014dc..978af15 100644 ---- a/src/obj/ct_expect.c -+++ b/src/obj/ct_expect.c -@@ -185,11 +185,21 @@ static int nftnl_obj_ct_expect_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy -+obj_ct_expect_attr_policy[__NFTNL_OBJ_CT_EXPECT_MAX] = { -+ [NFTNL_OBJ_CT_EXPECT_L3PROTO] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_OBJ_CT_EXPECT_L4PROTO] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_OBJ_CT_EXPECT_DPORT] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_OBJ_CT_EXPECT_TIMEOUT] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_CT_EXPECT_SIZE] = { .maxlen = sizeof(uint8_t) }, -+}; -+ - struct obj_ops obj_ops_ct_expect = { - .name = "ct_expect", - .type = NFT_OBJECT_CT_EXPECT, - .alloc_len = sizeof(struct nftnl_obj_ct_expect), - .nftnl_max_attr = __NFTNL_OBJ_CT_EXPECT_MAX - 1, -+ .attr_policy = obj_ct_expect_attr_policy, - .set = nftnl_obj_ct_expect_set, - .get = nftnl_obj_ct_expect_get, - .parse = nftnl_obj_ct_expect_parse, -diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c -index b8b05fd..aa8e926 100644 ---- a/src/obj/ct_helper.c -+++ b/src/obj/ct_helper.c -@@ -139,11 +139,22 @@ static int nftnl_obj_ct_helper_snprintf(char *buf, size_t len, - helper->name, helper->l3proto, helper->l4proto); - } - -+/* from kernel's include/net/netfilter/nf_conntrack_helper.h */ -+#define NF_CT_HELPER_NAME_LEN 16 -+ -+static struct attr_policy -+obj_ct_helper_attr_policy[__NFTNL_OBJ_CT_HELPER_MAX] = { -+ [NFTNL_OBJ_CT_HELPER_NAME] = { .maxlen = NF_CT_HELPER_NAME_LEN }, -+ [NFTNL_OBJ_CT_HELPER_L3PROTO] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_OBJ_CT_HELPER_L4PROTO] = { .maxlen = sizeof(uint8_t) }, -+}; -+ - struct obj_ops obj_ops_ct_helper = { - .name = "ct_helper", - .type = NFT_OBJECT_CT_HELPER, - .alloc_len = sizeof(struct nftnl_obj_ct_helper), - .nftnl_max_attr = __NFTNL_OBJ_CT_HELPER_MAX - 1, -+ .attr_policy = obj_ct_helper_attr_policy, - .set = nftnl_obj_ct_helper_set, - .get = nftnl_obj_ct_helper_get, - .parse = nftnl_obj_ct_helper_parse, -diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c -index 011d928..88522d8 100644 ---- a/src/obj/ct_timeout.c -+++ b/src/obj/ct_timeout.c -@@ -308,11 +308,18 @@ static int nftnl_obj_ct_timeout_snprintf(char *buf, size_t remain, - return offset; - } - -+static struct attr_policy -+obj_ct_timeout_attr_policy[__NFTNL_OBJ_CT_TIMEOUT_MAX] = { -+ [NFTNL_OBJ_CT_TIMEOUT_L3PROTO] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_OBJ_CT_TIMEOUT_L4PROTO] = { .maxlen = sizeof(uint8_t) }, -+}; -+ - struct obj_ops obj_ops_ct_timeout = { - .name = "ct_timeout", - .type = NFT_OBJECT_CT_TIMEOUT, - .alloc_len = sizeof(struct nftnl_obj_ct_timeout), - .nftnl_max_attr = __NFTNL_OBJ_CT_TIMEOUT_MAX - 1, -+ .attr_policy = obj_ct_timeout_attr_policy, - .set = nftnl_obj_ct_timeout_set, - .get = nftnl_obj_ct_timeout_get, - .parse = nftnl_obj_ct_timeout_parse, -diff --git a/src/obj/limit.c b/src/obj/limit.c -index 83cb193..0c7362e 100644 ---- a/src/obj/limit.c -+++ b/src/obj/limit.c -@@ -157,11 +157,20 @@ static int nftnl_obj_limit_snprintf(char *buf, size_t len, - limit->burst, limit->type, limit->flags); - } - -+static struct attr_policy obj_limit_attr_policy[__NFTNL_OBJ_LIMIT_MAX] = { -+ [NFTNL_OBJ_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_OBJ_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_OBJ_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct obj_ops obj_ops_limit = { - .name = "limit", - .type = NFT_OBJECT_LIMIT, - .alloc_len = sizeof(struct nftnl_obj_limit), - .nftnl_max_attr = __NFTNL_OBJ_LIMIT_MAX - 1, -+ .attr_policy = obj_limit_attr_policy, - .set = nftnl_obj_limit_set, - .get = nftnl_obj_limit_get, - .parse = nftnl_obj_limit_parse, -diff --git a/src/obj/quota.c b/src/obj/quota.c -index 665d7ca..b48ba91 100644 ---- a/src/obj/quota.c -+++ b/src/obj/quota.c -@@ -133,11 +133,18 @@ static int nftnl_obj_quota_snprintf(char *buf, size_t len, - quota->bytes, quota->flags); - } - -+static struct attr_policy obj_quota_attr_policy[__NFTNL_OBJ_QUOTA_MAX] = { -+ [NFTNL_OBJ_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_OBJ_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) }, -+ [NFTNL_OBJ_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct obj_ops obj_ops_quota = { - .name = "quota", - .type = NFT_OBJECT_QUOTA, - .alloc_len = sizeof(struct nftnl_obj_quota), - .nftnl_max_attr = __NFTNL_OBJ_QUOTA_MAX - 1, -+ .attr_policy = obj_quota_attr_policy, - .set = nftnl_obj_quota_set, - .get = nftnl_obj_quota_get, - .parse = nftnl_obj_quota_parse, -diff --git a/src/obj/secmark.c b/src/obj/secmark.c -index 83cd1dc..eea9664 100644 ---- a/src/obj/secmark.c -+++ b/src/obj/secmark.c -@@ -105,11 +105,16 @@ static int nftnl_obj_secmark_snprintf(char *buf, size_t len, - return snprintf(buf, len, "context %s ", secmark->ctx); - } - -+static struct attr_policy obj_secmark_attr_policy[__NFTNL_OBJ_SECMARK_MAX] = { -+ [NFTNL_OBJ_SECMARK_CTX] = { .maxlen = NFT_SECMARK_CTX_MAXLEN }, -+}; -+ - struct obj_ops obj_ops_secmark = { - .name = "secmark", - .type = NFT_OBJECT_SECMARK, - .alloc_len = sizeof(struct nftnl_obj_secmark), - .nftnl_max_attr = __NFTNL_OBJ_SECMARK_MAX - 1, -+ .attr_policy = obj_secmark_attr_policy, - .set = nftnl_obj_secmark_set, - .get = nftnl_obj_secmark_get, - .parse = nftnl_obj_secmark_parse, -diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c -index f7c7762..65fbcf7 100644 ---- a/src/obj/synproxy.c -+++ b/src/obj/synproxy.c -@@ -132,11 +132,18 @@ static int nftnl_obj_synproxy_snprintf(char *buf, size_t len, - return offset; - } - -+static struct attr_policy obj_synproxy_attr_policy[__NFTNL_OBJ_SYNPROXY_MAX] = { -+ [NFTNL_OBJ_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_OBJ_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_OBJ_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+}; -+ - struct obj_ops obj_ops_synproxy = { - .name = "synproxy", - .type = NFT_OBJECT_SYNPROXY, - .alloc_len = sizeof(struct nftnl_obj_synproxy), - .nftnl_max_attr = __NFTNL_OBJ_SYNPROXY_MAX - 1, -+ .attr_policy = obj_synproxy_attr_policy, - .set = nftnl_obj_synproxy_set, - .get = nftnl_obj_synproxy_get, - .parse = nftnl_obj_synproxy_parse, -diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c -index 72985ee..07b3b2a 100644 ---- a/src/obj/tunnel.c -+++ b/src/obj/tunnel.c -@@ -536,11 +536,31 @@ static int nftnl_obj_tunnel_snprintf(char *buf, size_t len, - return snprintf(buf, len, "id %u ", tun->id); - } - -+static struct attr_policy obj_tunnel_attr_policy[__NFTNL_OBJ_TUNNEL_MAX] = { -+ [NFTNL_OBJ_TUNNEL_ID] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_TUNNEL_IPV4_SRC] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_TUNNEL_IPV4_DST] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_TUNNEL_IPV6_SRC] = { .maxlen = sizeof(struct in6_addr) }, -+ [NFTNL_OBJ_TUNNEL_IPV6_DST] = { .maxlen = sizeof(struct in6_addr) }, -+ [NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_TUNNEL_SPORT] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_OBJ_TUNNEL_DPORT] = { .maxlen = sizeof(uint16_t) }, -+ [NFTNL_OBJ_TUNNEL_FLAGS] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_TUNNEL_TOS] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_OBJ_TUNNEL_TTL] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_OBJ_TUNNEL_VXLAN_GBP] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_TUNNEL_ERSPAN_VERSION] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX] = { .maxlen = sizeof(uint32_t) }, -+ [NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID] = { .maxlen = sizeof(uint8_t) }, -+ [NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR] = { .maxlen = sizeof(uint8_t) }, -+}; -+ - struct obj_ops obj_ops_tunnel = { - .name = "tunnel", - .type = NFT_OBJECT_TUNNEL, - .alloc_len = sizeof(struct nftnl_obj_tunnel), - .nftnl_max_attr = __NFTNL_OBJ_TUNNEL_MAX - 1, -+ .attr_policy = obj_tunnel_attr_policy, - .set = nftnl_obj_tunnel_set, - .get = nftnl_obj_tunnel_get, - .parse = nftnl_obj_tunnel_parse, diff --git a/0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch b/0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch deleted file mode 100644 index 807af48..0000000 --- a/0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c67dacb6c402c95eb6331a36ba1fbca1a3ee2257 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:41 +0200 -Subject: [PATCH] obj: Enforce attr_policy compliance in nftnl_obj_set_data() - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit 5d94baba0f43426120ce025aacaa74406659ad7f - -commit 5d94baba0f43426120ce025aacaa74406659ad7f -Author: Phil Sutter -Date: Thu Mar 7 13:56:14 2024 +0100 - - obj: Enforce attr_policy compliance in nftnl_obj_set_data() - - Every object type defines an attr_policy array, so deny setting - attributes for object types which don't have it present or if it - specifies a non-zero maxlen which is lower than the given data_len. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/object.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/object.c b/src/object.c -index 52a184e..b653732 100644 ---- a/src/object.c -+++ b/src/object.c -@@ -123,7 +123,12 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, - default: - if (!obj->ops || - attr < NFTNL_OBJ_BASE || -- attr > obj->ops->nftnl_max_attr) -+ attr > obj->ops->nftnl_max_attr || -+ !obj->ops->attr_policy) -+ return -1; -+ -+ if (obj->ops->attr_policy[attr].maxlen && -+ obj->ops->attr_policy[attr].maxlen < data_len) - return -1; - - if (obj->ops->set(obj, attr, data, data_len) < 0) diff --git a/0027-utils-Introduce-and-use-nftnl_set_str_attr.patch b/0027-utils-Introduce-and-use-nftnl_set_str_attr.patch deleted file mode 100644 index 3c3826d..0000000 --- a/0027-utils-Introduce-and-use-nftnl_set_str_attr.patch +++ /dev/null @@ -1,251 +0,0 @@ -From 7285bf672df47b130e4ff3afd481bf4973cede5e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:41 +0200 -Subject: [PATCH] utils: Introduce and use nftnl_set_str_attr() - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit bb5e75be9d28c37096c90d9ae9fcc7ad0841f2c2 - -commit bb5e75be9d28c37096c90d9ae9fcc7ad0841f2c2 -Author: Phil Sutter -Date: Thu Mar 7 14:07:21 2024 +0100 - - utils: Introduce and use nftnl_set_str_attr() - - The function consolidates the necessary code when assigning to string - pointer attributes, namely: - - * Conditional free of the previous value - * Allocation of new value - * Checking for memory allocation errors - * Setting respective flag bit - - A new feature previously missing in all call sites is respecting - data_len in case the buffer up to that point did not contain a NUL-char. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/chain.c | 36 ++++++++---------------------------- - src/flowtable.c | 17 ++++------------- - src/object.c | 13 ++++--------- - src/rule.c | 18 ++++-------------- - src/set.c | 18 ++++-------------- - src/table.c | 9 ++------- - src/utils.c | 14 ++++++++++++++ - 7 files changed, 40 insertions(+), 85 deletions(-) - -diff --git a/src/chain.c b/src/chain.c -index e0b1eaf..c7026f4 100644 ---- a/src/chain.c -+++ b/src/chain.c -@@ -217,21 +217,11 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, - - switch(attr) { - case NFTNL_CHAIN_NAME: -- if (c->flags & (1 << NFTNL_CHAIN_NAME)) -- xfree(c->name); -- -- c->name = strdup(data); -- if (!c->name) -- return -1; -- break; -+ return nftnl_set_str_attr(&c->name, &c->flags, -+ attr, data, data_len); - case NFTNL_CHAIN_TABLE: -- if (c->flags & (1 << NFTNL_CHAIN_TABLE)) -- xfree(c->table); -- -- c->table = strdup(data); -- if (!c->table) -- return -1; -- break; -+ return nftnl_set_str_attr(&c->table, &c->flags, -+ attr, data, data_len); - case NFTNL_CHAIN_HOOKNUM: - memcpy(&c->hooknum, data, sizeof(c->hooknum)); - break; -@@ -257,21 +247,11 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, - memcpy(&c->family, data, sizeof(c->family)); - break; - case NFTNL_CHAIN_TYPE: -- if (c->flags & (1 << NFTNL_CHAIN_TYPE)) -- xfree(c->type); -- -- c->type = strdup(data); -- if (!c->type) -- return -1; -- break; -+ return nftnl_set_str_attr(&c->type, &c->flags, -+ attr, data, data_len); - case NFTNL_CHAIN_DEV: -- if (c->flags & (1 << NFTNL_CHAIN_DEV)) -- xfree(c->dev); -- -- c->dev = strdup(data); -- if (!c->dev) -- return -1; -- break; -+ return nftnl_set_str_attr(&c->dev, &c->flags, -+ attr, data, data_len); - case NFTNL_CHAIN_DEVICES: - dev_array = (const char **)data; - while (dev_array[len] != NULL) -diff --git a/src/flowtable.c b/src/flowtable.c -index 2f37cd4..41a1456 100644 ---- a/src/flowtable.c -+++ b/src/flowtable.c -@@ -119,20 +119,11 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr, - - switch(attr) { - case NFTNL_FLOWTABLE_NAME: -- if (c->flags & (1 << NFTNL_FLOWTABLE_NAME)) -- xfree(c->name); -- -- c->name = strdup(data); -- if (!c->name) -- return -1; -- break; -+ return nftnl_set_str_attr(&c->name, &c->flags, -+ attr, data, data_len); - case NFTNL_FLOWTABLE_TABLE: -- if (c->flags & (1 << NFTNL_FLOWTABLE_TABLE)) -- xfree(c->table); -- -- c->table = strdup(data); -- if (!c->table) -- return -1; -+ return nftnl_set_str_attr(&c->table, &c->flags, -+ attr, data, data_len); - break; - case NFTNL_FLOWTABLE_HOOKNUM: - memcpy(&c->hooknum, data, sizeof(c->hooknum)); -diff --git a/src/object.c b/src/object.c -index b653732..79b41eb 100644 ---- a/src/object.c -+++ b/src/object.c -@@ -85,17 +85,12 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, - - switch (attr) { - case NFTNL_OBJ_TABLE: -- xfree(obj->table); -- obj->table = strdup(data); -- if (!obj->table) -- return -1; -+ return nftnl_set_str_attr(&obj->table, &obj->flags, -+ attr, data, data_len); - break; - case NFTNL_OBJ_NAME: -- xfree(obj->name); -- obj->name = strdup(data); -- if (!obj->name) -- return -1; -- break; -+ return nftnl_set_str_attr(&obj->name, &obj->flags, -+ attr, data, data_len); - case NFTNL_OBJ_TYPE: - obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data)); - if (!obj->ops) -diff --git a/src/rule.c b/src/rule.c -index a52012b..e16e2c1 100644 ---- a/src/rule.c -+++ b/src/rule.c -@@ -115,21 +115,11 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr, - - switch(attr) { - case NFTNL_RULE_TABLE: -- if (r->flags & (1 << NFTNL_RULE_TABLE)) -- xfree(r->table); -- -- r->table = strdup(data); -- if (!r->table) -- return -1; -- break; -+ return nftnl_set_str_attr(&r->table, &r->flags, -+ attr, data, data_len); - case NFTNL_RULE_CHAIN: -- if (r->flags & (1 << NFTNL_RULE_CHAIN)) -- xfree(r->chain); -- -- r->chain = strdup(data); -- if (!r->chain) -- return -1; -- break; -+ return nftnl_set_str_attr(&r->chain, &r->flags, -+ attr, data, data_len); - case NFTNL_RULE_HANDLE: - memcpy(&r->handle, data, sizeof(r->handle)); - break; -diff --git a/src/set.c b/src/set.c -index a732bc0..07e332d 100644 ---- a/src/set.c -+++ b/src/set.c -@@ -146,21 +146,11 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, - - switch(attr) { - case NFTNL_SET_TABLE: -- if (s->flags & (1 << NFTNL_SET_TABLE)) -- xfree(s->table); -- -- s->table = strdup(data); -- if (!s->table) -- return -1; -- break; -+ return nftnl_set_str_attr(&s->table, &s->flags, -+ attr, data, data_len); - case NFTNL_SET_NAME: -- if (s->flags & (1 << NFTNL_SET_NAME)) -- xfree(s->name); -- -- s->name = strdup(data); -- if (!s->name) -- return -1; -- break; -+ return nftnl_set_str_attr(&s->name, &s->flags, -+ attr, data, data_len); - case NFTNL_SET_HANDLE: - memcpy(&s->handle, data, sizeof(s->handle)); - break; -diff --git a/src/table.c b/src/table.c -index 4f48e8c..13f01cf 100644 ---- a/src/table.c -+++ b/src/table.c -@@ -101,13 +101,8 @@ int nftnl_table_set_data(struct nftnl_table *t, uint16_t attr, - - switch (attr) { - case NFTNL_TABLE_NAME: -- if (t->flags & (1 << NFTNL_TABLE_NAME)) -- xfree(t->name); -- -- t->name = strdup(data); -- if (!t->name) -- return -1; -- break; -+ return nftnl_set_str_attr(&t->name, &t->flags, -+ attr, data, data_len); - case NFTNL_TABLE_HANDLE: - memcpy(&t->handle, data, sizeof(t->handle)); - break; -diff --git a/src/utils.c b/src/utils.c -index 3617837..a0f03da 100644 ---- a/src/utils.c -+++ b/src/utils.c -@@ -330,3 +330,17 @@ void __noreturn __abi_breakage(const char *file, int line, const char *reason) - "%s:%d reason: %s\n", file, line, reason); - exit(EXIT_FAILURE); - } -+ -+int nftnl_set_str_attr(const char **dptr, uint32_t *flags, -+ uint16_t attr, const void *data, uint32_t data_len) -+{ -+ if (*flags & (1 << attr)) -+ xfree(*dptr); -+ -+ *dptr = strndup(data, data_len); -+ if (!*dptr) -+ return -1; -+ -+ *flags |= (1 << attr); -+ return 0; -+} diff --git a/0028-obj-Respect-data_len-when-setting-attributes.patch b/0028-obj-Respect-data_len-when-setting-attributes.patch deleted file mode 100644 index 5b18830..0000000 --- a/0028-obj-Respect-data_len-when-setting-attributes.patch +++ /dev/null @@ -1,234 +0,0 @@ -From a75cd0ecf866513625346ddfcedb366af91e6f03 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:41 +0200 -Subject: [PATCH] obj: Respect data_len when setting attributes - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit c48ac8cba8716a8bc4ff713ee965eee2643cfc31 - -commit c48ac8cba8716a8bc4ff713ee965eee2643cfc31 -Author: Phil Sutter -Date: Thu Mar 7 14:34:18 2024 +0100 - - obj: Respect data_len when setting attributes - - With attr_policy in place, data_len has an upper boundary. Use it for - memcpy() calls to cover for caller passing data with lower size than the - attribute's storage. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/obj/counter.c | 4 ++-- - src/obj/ct_expect.c | 10 +++++----- - src/obj/ct_helper.c | 4 ++-- - src/obj/ct_timeout.c | 4 ++-- - src/obj/limit.c | 10 +++++----- - src/obj/quota.c | 6 +++--- - src/obj/tunnel.c | 32 ++++++++++++++++---------------- - 7 files changed, 35 insertions(+), 35 deletions(-) - -diff --git a/src/obj/counter.c b/src/obj/counter.c -index 44524d7..19e09ed 100644 ---- a/src/obj/counter.c -+++ b/src/obj/counter.c -@@ -29,10 +29,10 @@ nftnl_obj_counter_set(struct nftnl_obj *e, uint16_t type, - - switch(type) { - case NFTNL_OBJ_CTR_BYTES: -- memcpy(&ctr->bytes, data, sizeof(ctr->bytes)); -+ memcpy(&ctr->bytes, data, data_len); - break; - case NFTNL_OBJ_CTR_PKTS: -- memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); -+ memcpy(&ctr->pkts, data, data_len); - break; - } - return 0; -diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c -index 978af15..b4d6faa 100644 ---- a/src/obj/ct_expect.c -+++ b/src/obj/ct_expect.c -@@ -21,19 +21,19 @@ static int nftnl_obj_ct_expect_set(struct nftnl_obj *e, uint16_t type, - - switch (type) { - case NFTNL_OBJ_CT_EXPECT_L3PROTO: -- memcpy(&exp->l3proto, data, sizeof(exp->l3proto)); -+ memcpy(&exp->l3proto, data, data_len); - break; - case NFTNL_OBJ_CT_EXPECT_L4PROTO: -- memcpy(&exp->l4proto, data, sizeof(exp->l4proto)); -+ memcpy(&exp->l4proto, data, data_len); - break; - case NFTNL_OBJ_CT_EXPECT_DPORT: -- memcpy(&exp->dport, data, sizeof(exp->dport)); -+ memcpy(&exp->dport, data, data_len); - break; - case NFTNL_OBJ_CT_EXPECT_TIMEOUT: -- memcpy(&exp->timeout, data, sizeof(exp->timeout)); -+ memcpy(&exp->timeout, data, data_len); - break; - case NFTNL_OBJ_CT_EXPECT_SIZE: -- memcpy(&exp->size, data, sizeof(exp->size)); -+ memcpy(&exp->size, data, data_len); - break; - } - return 0; -diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c -index aa8e926..1feccf2 100644 ---- a/src/obj/ct_helper.c -+++ b/src/obj/ct_helper.c -@@ -32,10 +32,10 @@ static int nftnl_obj_ct_helper_set(struct nftnl_obj *e, uint16_t type, - snprintf(helper->name, sizeof(helper->name), "%s", (const char *)data); - break; - case NFTNL_OBJ_CT_HELPER_L3PROTO: -- memcpy(&helper->l3proto, data, sizeof(helper->l3proto)); -+ memcpy(&helper->l3proto, data, data_len); - break; - case NFTNL_OBJ_CT_HELPER_L4PROTO: -- memcpy(&helper->l4proto, data, sizeof(helper->l4proto)); -+ memcpy(&helper->l4proto, data, data_len); - break; - } - return 0; -diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c -index 88522d8..b9b688e 100644 ---- a/src/obj/ct_timeout.c -+++ b/src/obj/ct_timeout.c -@@ -150,10 +150,10 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type, - - switch (type) { - case NFTNL_OBJ_CT_TIMEOUT_L3PROTO: -- memcpy(&timeout->l3proto, data, sizeof(timeout->l3proto)); -+ memcpy(&timeout->l3proto, data, data_len); - break; - case NFTNL_OBJ_CT_TIMEOUT_L4PROTO: -- memcpy(&timeout->l4proto, data, sizeof(timeout->l4proto)); -+ memcpy(&timeout->l4proto, data, data_len); - break; - case NFTNL_OBJ_CT_TIMEOUT_ARRAY: - if (data_len < sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX) -diff --git a/src/obj/limit.c b/src/obj/limit.c -index 0c7362e..cbf30b4 100644 ---- a/src/obj/limit.c -+++ b/src/obj/limit.c -@@ -28,19 +28,19 @@ static int nftnl_obj_limit_set(struct nftnl_obj *e, uint16_t type, - - switch (type) { - case NFTNL_OBJ_LIMIT_RATE: -- memcpy(&limit->rate, data, sizeof(limit->rate)); -+ memcpy(&limit->rate, data, data_len); - break; - case NFTNL_OBJ_LIMIT_UNIT: -- memcpy(&limit->unit, data, sizeof(limit->unit)); -+ memcpy(&limit->unit, data, data_len); - break; - case NFTNL_OBJ_LIMIT_BURST: -- memcpy(&limit->burst, data, sizeof(limit->burst)); -+ memcpy(&limit->burst, data, data_len); - break; - case NFTNL_OBJ_LIMIT_TYPE: -- memcpy(&limit->type, data, sizeof(limit->type)); -+ memcpy(&limit->type, data, data_len); - break; - case NFTNL_OBJ_LIMIT_FLAGS: -- memcpy(&limit->flags, data, sizeof(limit->flags)); -+ memcpy(&limit->flags, data, data_len); - break; - } - return 0; -diff --git a/src/obj/quota.c b/src/obj/quota.c -index b48ba91..526db8e 100644 ---- a/src/obj/quota.c -+++ b/src/obj/quota.c -@@ -28,13 +28,13 @@ static int nftnl_obj_quota_set(struct nftnl_obj *e, uint16_t type, - - switch (type) { - case NFTNL_OBJ_QUOTA_BYTES: -- memcpy("a->bytes, data, sizeof(quota->bytes)); -+ memcpy("a->bytes, data, data_len); - break; - case NFTNL_OBJ_QUOTA_CONSUMED: -- memcpy("a->consumed, data, sizeof(quota->consumed)); -+ memcpy("a->consumed, data, data_len); - break; - case NFTNL_OBJ_QUOTA_FLAGS: -- memcpy("a->flags, data, sizeof(quota->flags)); -+ memcpy("a->flags, data, data_len); - break; - } - return 0; -diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c -index 07b3b2a..0309410 100644 ---- a/src/obj/tunnel.c -+++ b/src/obj/tunnel.c -@@ -29,52 +29,52 @@ nftnl_obj_tunnel_set(struct nftnl_obj *e, uint16_t type, - - switch (type) { - case NFTNL_OBJ_TUNNEL_ID: -- memcpy(&tun->id, data, sizeof(tun->id)); -+ memcpy(&tun->id, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_IPV4_SRC: -- memcpy(&tun->src_v4, data, sizeof(tun->src_v4)); -+ memcpy(&tun->src_v4, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_IPV4_DST: -- memcpy(&tun->dst_v4, data, sizeof(tun->dst_v4)); -+ memcpy(&tun->dst_v4, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_IPV6_SRC: -- memcpy(&tun->src_v6, data, sizeof(struct in6_addr)); -+ memcpy(&tun->src_v6, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_IPV6_DST: -- memcpy(&tun->dst_v6, data, sizeof(struct in6_addr)); -+ memcpy(&tun->dst_v6, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL: -- memcpy(&tun->flowlabel, data, sizeof(tun->flowlabel)); -+ memcpy(&tun->flowlabel, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_SPORT: -- memcpy(&tun->sport, data, sizeof(tun->sport)); -+ memcpy(&tun->sport, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_DPORT: -- memcpy(&tun->dport, data, sizeof(tun->dport)); -+ memcpy(&tun->dport, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_FLAGS: -- memcpy(&tun->tun_flags, data, sizeof(tun->tun_flags)); -+ memcpy(&tun->tun_flags, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_TOS: -- memcpy(&tun->tun_tos, data, sizeof(tun->tun_tos)); -+ memcpy(&tun->tun_tos, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_TTL: -- memcpy(&tun->tun_ttl, data, sizeof(tun->tun_ttl)); -+ memcpy(&tun->tun_ttl, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_VXLAN_GBP: -- memcpy(&tun->u.tun_vxlan.gbp, data, sizeof(tun->u.tun_vxlan.gbp)); -+ memcpy(&tun->u.tun_vxlan.gbp, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_ERSPAN_VERSION: -- memcpy(&tun->u.tun_erspan.version, data, sizeof(tun->u.tun_erspan.version)); -+ memcpy(&tun->u.tun_erspan.version, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX: -- memcpy(&tun->u.tun_erspan.u.v1_index, data, sizeof(tun->u.tun_erspan.u.v1_index)); -+ memcpy(&tun->u.tun_erspan.u.v1_index, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID: -- memcpy(&tun->u.tun_erspan.u.v2.hwid, data, sizeof(tun->u.tun_erspan.u.v2.hwid)); -+ memcpy(&tun->u.tun_erspan.u.v2.hwid, data, data_len); - break; - case NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR: -- memcpy(&tun->u.tun_erspan.u.v2.dir, data, sizeof(tun->u.tun_erspan.u.v2.dir)); -+ memcpy(&tun->u.tun_erspan.u.v2.dir, data, data_len); - break; - } - return 0; diff --git a/0029-expr-Respect-data_len-when-setting-attributes.patch b/0029-expr-Respect-data_len-when-setting-attributes.patch deleted file mode 100644 index dd237e9..0000000 --- a/0029-expr-Respect-data_len-when-setting-attributes.patch +++ /dev/null @@ -1,968 +0,0 @@ -From e1a4cfec3462db1a91788f74d4d083c4c4b63788 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:39:41 +0200 -Subject: [PATCH] expr: Respect data_len when setting attributes - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit be0bae0ad31b0adb506f96de083f52a2bd0d4fbf - -commit be0bae0ad31b0adb506f96de083f52a2bd0d4fbf -Author: Phil Sutter -Date: Thu Mar 7 14:49:08 2024 +0100 - - expr: Respect data_len when setting attributes - - With attr_policy in place, data_len has an upper boundary but it may be - lower than the attribute's storage area in which case memcpy() would - read garbage. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/expr/bitwise.c | 8 ++++---- - src/expr/byteorder.c | 10 +++++----- - src/expr/cmp.c | 4 ++-- - src/expr/connlimit.c | 4 ++-- - src/expr/counter.c | 4 ++-- - src/expr/ct.c | 8 ++++---- - src/expr/dup.c | 4 ++-- - src/expr/dynset.c | 12 ++++++------ - src/expr/exthdr.c | 14 +++++++------- - src/expr/fib.c | 6 +++--- - src/expr/fwd.c | 6 +++--- - src/expr/hash.c | 14 +++++++------- - src/expr/immediate.c | 6 +++--- - src/expr/inner.c | 6 +++--- - src/expr/last.c | 4 ++-- - src/expr/limit.c | 10 +++++----- - src/expr/log.c | 10 +++++----- - src/expr/lookup.c | 8 ++++---- - src/expr/masq.c | 6 +++--- - src/expr/match.c | 2 +- - src/expr/meta.c | 6 +++--- - src/expr/nat.c | 14 +++++++------- - src/expr/numgen.c | 8 ++++---- - src/expr/objref.c | 6 +++--- - src/expr/osf.c | 6 +++--- - src/expr/payload.c | 16 ++++++++-------- - src/expr/queue.c | 8 ++++---- - src/expr/quota.c | 6 +++--- - src/expr/range.c | 4 ++-- - src/expr/redir.c | 6 +++--- - src/expr/reject.c | 4 ++-- - src/expr/rt.c | 4 ++-- - src/expr/socket.c | 6 +++--- - src/expr/synproxy.c | 6 +++--- - src/expr/target.c | 2 +- - src/expr/tproxy.c | 6 +++--- - src/expr/tunnel.c | 4 ++-- - src/expr/xfrm.c | 8 ++++---- - 38 files changed, 133 insertions(+), 133 deletions(-) - -diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c -index dab1690..e99131a 100644 ---- a/src/expr/bitwise.c -+++ b/src/expr/bitwise.c -@@ -39,16 +39,16 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_BITWISE_SREG: -- memcpy(&bitwise->sreg, data, sizeof(bitwise->sreg)); -+ memcpy(&bitwise->sreg, data, data_len); - break; - case NFTNL_EXPR_BITWISE_DREG: -- memcpy(&bitwise->dreg, data, sizeof(bitwise->dreg)); -+ memcpy(&bitwise->dreg, data, data_len); - break; - case NFTNL_EXPR_BITWISE_OP: -- memcpy(&bitwise->op, data, sizeof(bitwise->op)); -+ memcpy(&bitwise->op, data, data_len); - break; - case NFTNL_EXPR_BITWISE_LEN: -- memcpy(&bitwise->len, data, sizeof(bitwise->len)); -+ memcpy(&bitwise->len, data, data_len); - break; - case NFTNL_EXPR_BITWISE_MASK: - return nftnl_data_cpy(&bitwise->mask, data, data_len); -diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c -index d4e85a8..383e80d 100644 ---- a/src/expr/byteorder.c -+++ b/src/expr/byteorder.c -@@ -37,19 +37,19 @@ nftnl_expr_byteorder_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_BYTEORDER_SREG: -- memcpy(&byteorder->sreg, data, sizeof(byteorder->sreg)); -+ memcpy(&byteorder->sreg, data, data_len); - break; - case NFTNL_EXPR_BYTEORDER_DREG: -- memcpy(&byteorder->dreg, data, sizeof(byteorder->dreg)); -+ memcpy(&byteorder->dreg, data, data_len); - break; - case NFTNL_EXPR_BYTEORDER_OP: -- memcpy(&byteorder->op, data, sizeof(byteorder->op)); -+ memcpy(&byteorder->op, data, data_len); - break; - case NFTNL_EXPR_BYTEORDER_LEN: -- memcpy(&byteorder->len, data, sizeof(byteorder->len)); -+ memcpy(&byteorder->len, data, data_len); - break; - case NFTNL_EXPR_BYTEORDER_SIZE: -- memcpy(&byteorder->size, data, sizeof(byteorder->size)); -+ memcpy(&byteorder->size, data, data_len); - break; - } - return 0; -diff --git a/src/expr/cmp.c b/src/expr/cmp.c -index 2937d7e..d1f0f64 100644 ---- a/src/expr/cmp.c -+++ b/src/expr/cmp.c -@@ -36,10 +36,10 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_CMP_SREG: -- memcpy(&cmp->sreg, data, sizeof(cmp->sreg)); -+ memcpy(&cmp->sreg, data, data_len); - break; - case NFTNL_EXPR_CMP_OP: -- memcpy(&cmp->op, data, sizeof(cmp->op)); -+ memcpy(&cmp->op, data, data_len); - break; - case NFTNL_EXPR_CMP_DATA: - return nftnl_data_cpy(&cmp->data, data, data_len); -diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c -index 1c78c71..fcac8bf 100644 ---- a/src/expr/connlimit.c -+++ b/src/expr/connlimit.c -@@ -33,10 +33,10 @@ nftnl_expr_connlimit_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_CONNLIMIT_COUNT: -- memcpy(&connlimit->count, data, sizeof(connlimit->count)); -+ memcpy(&connlimit->count, data, data_len); - break; - case NFTNL_EXPR_CONNLIMIT_FLAGS: -- memcpy(&connlimit->flags, data, sizeof(connlimit->flags)); -+ memcpy(&connlimit->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/counter.c b/src/expr/counter.c -index 2c6f2a7..cef9119 100644 ---- a/src/expr/counter.c -+++ b/src/expr/counter.c -@@ -35,10 +35,10 @@ nftnl_expr_counter_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_CTR_BYTES: -- memcpy(&ctr->bytes, data, sizeof(ctr->bytes)); -+ memcpy(&ctr->bytes, data, data_len); - break; - case NFTNL_EXPR_CTR_PACKETS: -- memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); -+ memcpy(&ctr->pkts, data, data_len); - break; - } - return 0; -diff --git a/src/expr/ct.c b/src/expr/ct.c -index f7dd40d..bea0522 100644 ---- a/src/expr/ct.c -+++ b/src/expr/ct.c -@@ -39,16 +39,16 @@ nftnl_expr_ct_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_CT_KEY: -- memcpy(&ct->key, data, sizeof(ct->key)); -+ memcpy(&ct->key, data, data_len); - break; - case NFTNL_EXPR_CT_DIR: -- memcpy(&ct->dir, data, sizeof(ct->dir)); -+ memcpy(&ct->dir, data, data_len); - break; - case NFTNL_EXPR_CT_DREG: -- memcpy(&ct->dreg, data, sizeof(ct->dreg)); -+ memcpy(&ct->dreg, data, data_len); - break; - case NFTNL_EXPR_CT_SREG: -- memcpy(&ct->sreg, data, sizeof(ct->sreg)); -+ memcpy(&ct->sreg, data, data_len); - break; - } - return 0; -diff --git a/src/expr/dup.c b/src/expr/dup.c -index 6a5e4ca..28d686b 100644 ---- a/src/expr/dup.c -+++ b/src/expr/dup.c -@@ -32,10 +32,10 @@ static int nftnl_expr_dup_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_DUP_SREG_ADDR: -- memcpy(&dup->sreg_addr, data, sizeof(dup->sreg_addr)); -+ memcpy(&dup->sreg_addr, data, data_len); - break; - case NFTNL_EXPR_DUP_SREG_DEV: -- memcpy(&dup->sreg_dev, data, sizeof(dup->sreg_dev)); -+ memcpy(&dup->sreg_dev, data, data_len); - break; - } - return 0; -diff --git a/src/expr/dynset.c b/src/expr/dynset.c -index c1f79b5..8a159f8 100644 ---- a/src/expr/dynset.c -+++ b/src/expr/dynset.c -@@ -41,16 +41,16 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_DYNSET_SREG_KEY: -- memcpy(&dynset->sreg_key, data, sizeof(dynset->sreg_key)); -+ memcpy(&dynset->sreg_key, data, data_len); - break; - case NFTNL_EXPR_DYNSET_SREG_DATA: -- memcpy(&dynset->sreg_data, data, sizeof(dynset->sreg_data)); -+ memcpy(&dynset->sreg_data, data, data_len); - break; - case NFTNL_EXPR_DYNSET_OP: -- memcpy(&dynset->op, data, sizeof(dynset->op)); -+ memcpy(&dynset->op, data, data_len); - break; - case NFTNL_EXPR_DYNSET_TIMEOUT: -- memcpy(&dynset->timeout, data, sizeof(dynset->timeout)); -+ memcpy(&dynset->timeout, data, data_len); - break; - case NFTNL_EXPR_DYNSET_SET_NAME: - dynset->set_name = strdup((const char *)data); -@@ -58,7 +58,7 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, - return -1; - break; - case NFTNL_EXPR_DYNSET_SET_ID: -- memcpy(&dynset->set_id, data, sizeof(dynset->set_id)); -+ memcpy(&dynset->set_id, data, data_len); - break; - case NFTNL_EXPR_DYNSET_EXPR: - list_for_each_entry_safe(expr, next, &dynset->expr_list, head) -@@ -68,7 +68,7 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, - list_add(&expr->head, &dynset->expr_list); - break; - case NFTNL_EXPR_DYNSET_FLAGS: -- memcpy(&dynset->dynset_flags, data, sizeof(dynset->dynset_flags)); -+ memcpy(&dynset->dynset_flags, data, data_len); - break; - default: - return -1; -diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c -index 93b7521..453902c 100644 ---- a/src/expr/exthdr.c -+++ b/src/expr/exthdr.c -@@ -46,25 +46,25 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_EXTHDR_DREG: -- memcpy(&exthdr->dreg, data, sizeof(exthdr->dreg)); -+ memcpy(&exthdr->dreg, data, data_len); - break; - case NFTNL_EXPR_EXTHDR_TYPE: -- memcpy(&exthdr->type, data, sizeof(exthdr->type)); -+ memcpy(&exthdr->type, data, data_len); - break; - case NFTNL_EXPR_EXTHDR_OFFSET: -- memcpy(&exthdr->offset, data, sizeof(exthdr->offset)); -+ memcpy(&exthdr->offset, data, data_len); - break; - case NFTNL_EXPR_EXTHDR_LEN: -- memcpy(&exthdr->len, data, sizeof(exthdr->len)); -+ memcpy(&exthdr->len, data, data_len); - break; - case NFTNL_EXPR_EXTHDR_OP: -- memcpy(&exthdr->op, data, sizeof(exthdr->op)); -+ memcpy(&exthdr->op, data, data_len); - break; - case NFTNL_EXPR_EXTHDR_FLAGS: -- memcpy(&exthdr->flags, data, sizeof(exthdr->flags)); -+ memcpy(&exthdr->flags, data, data_len); - break; - case NFTNL_EXPR_EXTHDR_SREG: -- memcpy(&exthdr->sreg, data, sizeof(exthdr->sreg)); -+ memcpy(&exthdr->sreg, data, data_len); - break; - } - return 0; -diff --git a/src/expr/fib.c b/src/expr/fib.c -index 5f7bef4..20bc125 100644 ---- a/src/expr/fib.c -+++ b/src/expr/fib.c -@@ -35,13 +35,13 @@ nftnl_expr_fib_set(struct nftnl_expr *e, uint16_t result, - - switch (result) { - case NFTNL_EXPR_FIB_RESULT: -- memcpy(&fib->result, data, sizeof(fib->result)); -+ memcpy(&fib->result, data, data_len); - break; - case NFTNL_EXPR_FIB_DREG: -- memcpy(&fib->dreg, data, sizeof(fib->dreg)); -+ memcpy(&fib->dreg, data, data_len); - break; - case NFTNL_EXPR_FIB_FLAGS: -- memcpy(&fib->flags, data, sizeof(fib->flags)); -+ memcpy(&fib->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/fwd.c b/src/expr/fwd.c -index 566d6f4..04cb089 100644 ---- a/src/expr/fwd.c -+++ b/src/expr/fwd.c -@@ -33,13 +33,13 @@ static int nftnl_expr_fwd_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_FWD_SREG_DEV: -- memcpy(&fwd->sreg_dev, data, sizeof(fwd->sreg_dev)); -+ memcpy(&fwd->sreg_dev, data, data_len); - break; - case NFTNL_EXPR_FWD_SREG_ADDR: -- memcpy(&fwd->sreg_addr, data, sizeof(fwd->sreg_addr)); -+ memcpy(&fwd->sreg_addr, data, data_len); - break; - case NFTNL_EXPR_FWD_NFPROTO: -- memcpy(&fwd->nfproto, data, sizeof(fwd->nfproto)); -+ memcpy(&fwd->nfproto, data, data_len); - break; - } - return 0; -diff --git a/src/expr/hash.c b/src/expr/hash.c -index 4cd9006..eb44b2e 100644 ---- a/src/expr/hash.c -+++ b/src/expr/hash.c -@@ -37,25 +37,25 @@ nftnl_expr_hash_set(struct nftnl_expr *e, uint16_t type, - struct nftnl_expr_hash *hash = nftnl_expr_data(e); - switch (type) { - case NFTNL_EXPR_HASH_SREG: -- memcpy(&hash->sreg, data, sizeof(hash->sreg)); -+ memcpy(&hash->sreg, data, data_len); - break; - case NFTNL_EXPR_HASH_DREG: -- memcpy(&hash->dreg, data, sizeof(hash->dreg)); -+ memcpy(&hash->dreg, data, data_len); - break; - case NFTNL_EXPR_HASH_LEN: -- memcpy(&hash->len, data, sizeof(hash->len)); -+ memcpy(&hash->len, data, data_len); - break; - case NFTNL_EXPR_HASH_MODULUS: -- memcpy(&hash->modulus, data, sizeof(hash->modulus)); -+ memcpy(&hash->modulus, data, data_len); - break; - case NFTNL_EXPR_HASH_SEED: -- memcpy(&hash->seed, data, sizeof(hash->seed)); -+ memcpy(&hash->seed, data, data_len); - break; - case NFTNL_EXPR_HASH_OFFSET: -- memcpy(&hash->offset, data, sizeof(hash->offset)); -+ memcpy(&hash->offset, data, data_len); - break; - case NFTNL_EXPR_HASH_TYPE: -- memcpy(&hash->type, data, sizeof(hash->type)); -+ memcpy(&hash->type, data, data_len); - break; - default: - return -1; -diff --git a/src/expr/immediate.c b/src/expr/immediate.c -index 8645ab3..b2400e7 100644 ---- a/src/expr/immediate.c -+++ b/src/expr/immediate.c -@@ -33,12 +33,12 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_IMM_DREG: -- memcpy(&imm->dreg, data, sizeof(imm->dreg)); -+ memcpy(&imm->dreg, data, data_len); - break; - case NFTNL_EXPR_IMM_DATA: - return nftnl_data_cpy(&imm->data, data, data_len); - case NFTNL_EXPR_IMM_VERDICT: -- memcpy(&imm->data.verdict, data, sizeof(imm->data.verdict)); -+ memcpy(&imm->data.verdict, data, data_len); - break; - case NFTNL_EXPR_IMM_CHAIN: - if (e->flags & (1 << NFTNL_EXPR_IMM_CHAIN)) -@@ -49,7 +49,7 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, - return -1; - break; - case NFTNL_EXPR_IMM_CHAIN_ID: -- memcpy(&imm->data.chain_id, data, sizeof(uint32_t)); -+ memcpy(&imm->data.chain_id, data, data_len); - break; - } - return 0; -diff --git a/src/expr/inner.c b/src/expr/inner.c -index 45ef4fb..4f66e94 100644 ---- a/src/expr/inner.c -+++ b/src/expr/inner.c -@@ -45,13 +45,13 @@ nftnl_expr_inner_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_INNER_TYPE: -- memcpy(&inner->type, data, sizeof(inner->type)); -+ memcpy(&inner->type, data, data_len); - break; - case NFTNL_EXPR_INNER_FLAGS: -- memcpy(&inner->flags, data, sizeof(inner->flags)); -+ memcpy(&inner->flags, data, data_len); - break; - case NFTNL_EXPR_INNER_HDRSIZE: -- memcpy(&inner->hdrsize, data, sizeof(inner->hdrsize)); -+ memcpy(&inner->hdrsize, data, data_len); - break; - case NFTNL_EXPR_INNER_EXPR: - if (inner->expr) -diff --git a/src/expr/last.c b/src/expr/last.c -index 074f463..8e5b88e 100644 ---- a/src/expr/last.c -+++ b/src/expr/last.c -@@ -32,10 +32,10 @@ static int nftnl_expr_last_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_LAST_MSECS: -- memcpy(&last->msecs, data, sizeof(last->msecs)); -+ memcpy(&last->msecs, data, data_len); - break; - case NFTNL_EXPR_LAST_SET: -- memcpy(&last->set, data, sizeof(last->set)); -+ memcpy(&last->set, data, data_len); - break; - } - return 0; -diff --git a/src/expr/limit.c b/src/expr/limit.c -index 935d449..9d02592 100644 ---- a/src/expr/limit.c -+++ b/src/expr/limit.c -@@ -38,19 +38,19 @@ nftnl_expr_limit_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_LIMIT_RATE: -- memcpy(&limit->rate, data, sizeof(limit->rate)); -+ memcpy(&limit->rate, data, data_len); - break; - case NFTNL_EXPR_LIMIT_UNIT: -- memcpy(&limit->unit, data, sizeof(limit->unit)); -+ memcpy(&limit->unit, data, data_len); - break; - case NFTNL_EXPR_LIMIT_BURST: -- memcpy(&limit->burst, data, sizeof(limit->burst)); -+ memcpy(&limit->burst, data, data_len); - break; - case NFTNL_EXPR_LIMIT_TYPE: -- memcpy(&limit->type, data, sizeof(limit->type)); -+ memcpy(&limit->type, data, data_len); - break; - case NFTNL_EXPR_LIMIT_FLAGS: -- memcpy(&limit->flags, data, sizeof(limit->flags)); -+ memcpy(&limit->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/log.c b/src/expr/log.c -index d6d6910..18ec2b6 100644 ---- a/src/expr/log.c -+++ b/src/expr/log.c -@@ -46,19 +46,19 @@ static int nftnl_expr_log_set(struct nftnl_expr *e, uint16_t type, - return -1; - break; - case NFTNL_EXPR_LOG_GROUP: -- memcpy(&log->group, data, sizeof(log->group)); -+ memcpy(&log->group, data, data_len); - break; - case NFTNL_EXPR_LOG_SNAPLEN: -- memcpy(&log->snaplen, data, sizeof(log->snaplen)); -+ memcpy(&log->snaplen, data, data_len); - break; - case NFTNL_EXPR_LOG_QTHRESHOLD: -- memcpy(&log->qthreshold, data, sizeof(log->qthreshold)); -+ memcpy(&log->qthreshold, data, data_len); - break; - case NFTNL_EXPR_LOG_LEVEL: -- memcpy(&log->level, data, sizeof(log->level)); -+ memcpy(&log->level, data, data_len); - break; - case NFTNL_EXPR_LOG_FLAGS: -- memcpy(&log->flags, data, sizeof(log->flags)); -+ memcpy(&log->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/lookup.c b/src/expr/lookup.c -index be04528..21a7fce 100644 ---- a/src/expr/lookup.c -+++ b/src/expr/lookup.c -@@ -37,10 +37,10 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_LOOKUP_SREG: -- memcpy(&lookup->sreg, data, sizeof(lookup->sreg)); -+ memcpy(&lookup->sreg, data, data_len); - break; - case NFTNL_EXPR_LOOKUP_DREG: -- memcpy(&lookup->dreg, data, sizeof(lookup->dreg)); -+ memcpy(&lookup->dreg, data, data_len); - break; - case NFTNL_EXPR_LOOKUP_SET: - lookup->set_name = strdup((const char *)data); -@@ -48,10 +48,10 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, - return -1; - break; - case NFTNL_EXPR_LOOKUP_SET_ID: -- memcpy(&lookup->set_id, data, sizeof(lookup->set_id)); -+ memcpy(&lookup->set_id, data, data_len); - break; - case NFTNL_EXPR_LOOKUP_FLAGS: -- memcpy(&lookup->flags, data, sizeof(lookup->flags)); -+ memcpy(&lookup->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/masq.c b/src/expr/masq.c -index 4be5a9c..e0565db 100644 ---- a/src/expr/masq.c -+++ b/src/expr/masq.c -@@ -34,13 +34,13 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_MASQ_FLAGS: -- memcpy(&masq->flags, data, sizeof(masq->flags)); -+ memcpy(&masq->flags, data, data_len); - break; - case NFTNL_EXPR_MASQ_REG_PROTO_MIN: -- memcpy(&masq->sreg_proto_min, data, sizeof(masq->sreg_proto_min)); -+ memcpy(&masq->sreg_proto_min, data, data_len); - break; - case NFTNL_EXPR_MASQ_REG_PROTO_MAX: -- memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max)); -+ memcpy(&masq->sreg_proto_max, data, data_len); - break; - } - return 0; -diff --git a/src/expr/match.c b/src/expr/match.c -index 68288dc..8c1bc74 100644 ---- a/src/expr/match.c -+++ b/src/expr/match.c -@@ -46,7 +46,7 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type, - (const char *)data); - break; - case NFTNL_EXPR_MT_REV: -- memcpy(&mt->rev, data, sizeof(mt->rev)); -+ memcpy(&mt->rev, data, data_len); - break; - case NFTNL_EXPR_MT_INFO: - if (e->flags & (1 << NFTNL_EXPR_MT_INFO)) -diff --git a/src/expr/meta.c b/src/expr/meta.c -index cd49c34..136a450 100644 ---- a/src/expr/meta.c -+++ b/src/expr/meta.c -@@ -39,13 +39,13 @@ nftnl_expr_meta_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_META_KEY: -- memcpy(&meta->key, data, sizeof(meta->key)); -+ memcpy(&meta->key, data, data_len); - break; - case NFTNL_EXPR_META_DREG: -- memcpy(&meta->dreg, data, sizeof(meta->dreg)); -+ memcpy(&meta->dreg, data, data_len); - break; - case NFTNL_EXPR_META_SREG: -- memcpy(&meta->sreg, data, sizeof(meta->sreg)); -+ memcpy(&meta->sreg, data, data_len); - break; - } - return 0; -diff --git a/src/expr/nat.c b/src/expr/nat.c -index f3f8644..1235ba4 100644 ---- a/src/expr/nat.c -+++ b/src/expr/nat.c -@@ -42,25 +42,25 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_NAT_TYPE: -- memcpy(&nat->type, data, sizeof(nat->type)); -+ memcpy(&nat->type, data, data_len); - break; - case NFTNL_EXPR_NAT_FAMILY: -- memcpy(&nat->family, data, sizeof(nat->family)); -+ memcpy(&nat->family, data, data_len); - break; - case NFTNL_EXPR_NAT_REG_ADDR_MIN: -- memcpy(&nat->sreg_addr_min, data, sizeof(nat->sreg_addr_min)); -+ memcpy(&nat->sreg_addr_min, data, data_len); - break; - case NFTNL_EXPR_NAT_REG_ADDR_MAX: -- memcpy(&nat->sreg_addr_max, data, sizeof(nat->sreg_addr_max)); -+ memcpy(&nat->sreg_addr_max, data, data_len); - break; - case NFTNL_EXPR_NAT_REG_PROTO_MIN: -- memcpy(&nat->sreg_proto_min, data, sizeof(nat->sreg_proto_min)); -+ memcpy(&nat->sreg_proto_min, data, data_len); - break; - case NFTNL_EXPR_NAT_REG_PROTO_MAX: -- memcpy(&nat->sreg_proto_max, data, sizeof(nat->sreg_proto_max)); -+ memcpy(&nat->sreg_proto_max, data, data_len); - break; - case NFTNL_EXPR_NAT_FLAGS: -- memcpy(&nat->flags, data, sizeof(nat->flags)); -+ memcpy(&nat->flags, data, data_len); - break; - } - -diff --git a/src/expr/numgen.c b/src/expr/numgen.c -index c5e8772..c015b88 100644 ---- a/src/expr/numgen.c -+++ b/src/expr/numgen.c -@@ -35,16 +35,16 @@ nftnl_expr_ng_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_NG_DREG: -- memcpy(&ng->dreg, data, sizeof(ng->dreg)); -+ memcpy(&ng->dreg, data, data_len); - break; - case NFTNL_EXPR_NG_MODULUS: -- memcpy(&ng->modulus, data, sizeof(ng->modulus)); -+ memcpy(&ng->modulus, data, data_len); - break; - case NFTNL_EXPR_NG_TYPE: -- memcpy(&ng->type, data, sizeof(ng->type)); -+ memcpy(&ng->type, data, data_len); - break; - case NFTNL_EXPR_NG_OFFSET: -- memcpy(&ng->offset, data, sizeof(ng->offset)); -+ memcpy(&ng->offset, data, data_len); - break; - default: - return -1; -diff --git a/src/expr/objref.c b/src/expr/objref.c -index 59e1ddd..0053805 100644 ---- a/src/expr/objref.c -+++ b/src/expr/objref.c -@@ -39,7 +39,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_OBJREF_IMM_TYPE: -- memcpy(&objref->imm.type, data, sizeof(objref->imm.type)); -+ memcpy(&objref->imm.type, data, data_len); - break; - case NFTNL_EXPR_OBJREF_IMM_NAME: - objref->imm.name = strdup(data); -@@ -47,7 +47,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, - return -1; - break; - case NFTNL_EXPR_OBJREF_SET_SREG: -- memcpy(&objref->set.sreg, data, sizeof(objref->set.sreg)); -+ memcpy(&objref->set.sreg, data, data_len); - break; - case NFTNL_EXPR_OBJREF_SET_NAME: - objref->set.name = strdup(data); -@@ -55,7 +55,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, - return -1; - break; - case NFTNL_EXPR_OBJREF_SET_ID: -- memcpy(&objref->set.id, data, sizeof(objref->set.id)); -+ memcpy(&objref->set.id, data, data_len); - break; - } - return 0; -diff --git a/src/expr/osf.c b/src/expr/osf.c -index 1e4ceb0..060394b 100644 ---- a/src/expr/osf.c -+++ b/src/expr/osf.c -@@ -25,13 +25,13 @@ static int nftnl_expr_osf_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_OSF_DREG: -- memcpy(&osf->dreg, data, sizeof(osf->dreg)); -+ memcpy(&osf->dreg, data, data_len); - break; - case NFTNL_EXPR_OSF_TTL: -- memcpy(&osf->ttl, data, sizeof(osf->ttl)); -+ memcpy(&osf->ttl, data, data_len); - break; - case NFTNL_EXPR_OSF_FLAGS: -- memcpy(&osf->flags, data, sizeof(osf->flags)); -+ memcpy(&osf->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/payload.c b/src/expr/payload.c -index 76d38f7..35cd10c 100644 ---- a/src/expr/payload.c -+++ b/src/expr/payload.c -@@ -43,28 +43,28 @@ nftnl_expr_payload_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_PAYLOAD_SREG: -- memcpy(&payload->sreg, data, sizeof(payload->sreg)); -+ memcpy(&payload->sreg, data, data_len); - break; - case NFTNL_EXPR_PAYLOAD_DREG: -- memcpy(&payload->dreg, data, sizeof(payload->dreg)); -+ memcpy(&payload->dreg, data, data_len); - break; - case NFTNL_EXPR_PAYLOAD_BASE: -- memcpy(&payload->base, data, sizeof(payload->base)); -+ memcpy(&payload->base, data, data_len); - break; - case NFTNL_EXPR_PAYLOAD_OFFSET: -- memcpy(&payload->offset, data, sizeof(payload->offset)); -+ memcpy(&payload->offset, data, data_len); - break; - case NFTNL_EXPR_PAYLOAD_LEN: -- memcpy(&payload->len, data, sizeof(payload->len)); -+ memcpy(&payload->len, data, data_len); - break; - case NFTNL_EXPR_PAYLOAD_CSUM_TYPE: -- memcpy(&payload->csum_type, data, sizeof(payload->csum_type)); -+ memcpy(&payload->csum_type, data, data_len); - break; - case NFTNL_EXPR_PAYLOAD_CSUM_OFFSET: -- memcpy(&payload->csum_offset, data, sizeof(payload->csum_offset)); -+ memcpy(&payload->csum_offset, data, data_len); - break; - case NFTNL_EXPR_PAYLOAD_FLAGS: -- memcpy(&payload->csum_flags, data, sizeof(payload->csum_flags)); -+ memcpy(&payload->csum_flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/queue.c b/src/expr/queue.c -index 54792ef..09220c4 100644 ---- a/src/expr/queue.c -+++ b/src/expr/queue.c -@@ -34,16 +34,16 @@ static int nftnl_expr_queue_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_QUEUE_NUM: -- memcpy(&queue->queuenum, data, sizeof(queue->queuenum)); -+ memcpy(&queue->queuenum, data, data_len); - break; - case NFTNL_EXPR_QUEUE_TOTAL: -- memcpy(&queue->queues_total, data, sizeof(queue->queues_total)); -+ memcpy(&queue->queues_total, data, data_len); - break; - case NFTNL_EXPR_QUEUE_FLAGS: -- memcpy(&queue->flags, data, sizeof(queue->flags)); -+ memcpy(&queue->flags, data, data_len); - break; - case NFTNL_EXPR_QUEUE_SREG_QNUM: -- memcpy(&queue->sreg_qnum, data, sizeof(queue->sreg_qnum)); -+ memcpy(&queue->sreg_qnum, data, data_len); - break; - } - return 0; -diff --git a/src/expr/quota.c b/src/expr/quota.c -index 60631fe..ddf232f 100644 ---- a/src/expr/quota.c -+++ b/src/expr/quota.c -@@ -33,13 +33,13 @@ static int nftnl_expr_quota_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_QUOTA_BYTES: -- memcpy("a->bytes, data, sizeof(quota->bytes)); -+ memcpy("a->bytes, data, data_len); - break; - case NFTNL_EXPR_QUOTA_CONSUMED: -- memcpy("a->consumed, data, sizeof(quota->consumed)); -+ memcpy("a->consumed, data, data_len); - break; - case NFTNL_EXPR_QUOTA_FLAGS: -- memcpy("a->flags, data, sizeof(quota->flags)); -+ memcpy("a->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/range.c b/src/expr/range.c -index 6310b79..96bb140 100644 ---- a/src/expr/range.c -+++ b/src/expr/range.c -@@ -34,10 +34,10 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_RANGE_SREG: -- memcpy(&range->sreg, data, sizeof(range->sreg)); -+ memcpy(&range->sreg, data, data_len); - break; - case NFTNL_EXPR_RANGE_OP: -- memcpy(&range->op, data, sizeof(range->op)); -+ memcpy(&range->op, data, data_len); - break; - case NFTNL_EXPR_RANGE_FROM_DATA: - return nftnl_data_cpy(&range->data_from, data, data_len); -diff --git a/src/expr/redir.c b/src/expr/redir.c -index 69095bd..9971306 100644 ---- a/src/expr/redir.c -+++ b/src/expr/redir.c -@@ -34,13 +34,13 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_REDIR_REG_PROTO_MIN: -- memcpy(&redir->sreg_proto_min, data, sizeof(redir->sreg_proto_min)); -+ memcpy(&redir->sreg_proto_min, data, data_len); - break; - case NFTNL_EXPR_REDIR_REG_PROTO_MAX: -- memcpy(&redir->sreg_proto_max, data, sizeof(redir->sreg_proto_max)); -+ memcpy(&redir->sreg_proto_max, data, data_len); - break; - case NFTNL_EXPR_REDIR_FLAGS: -- memcpy(&redir->flags, data, sizeof(redir->flags)); -+ memcpy(&redir->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/reject.c b/src/expr/reject.c -index f97011a..9090db3 100644 ---- a/src/expr/reject.c -+++ b/src/expr/reject.c -@@ -33,10 +33,10 @@ static int nftnl_expr_reject_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_REJECT_TYPE: -- memcpy(&reject->type, data, sizeof(reject->type)); -+ memcpy(&reject->type, data, data_len); - break; - case NFTNL_EXPR_REJECT_CODE: -- memcpy(&reject->icmp_code, data, sizeof(reject->icmp_code)); -+ memcpy(&reject->icmp_code, data, data_len); - break; - } - return 0; -diff --git a/src/expr/rt.c b/src/expr/rt.c -index 0ab2556..ff4fd03 100644 ---- a/src/expr/rt.c -+++ b/src/expr/rt.c -@@ -32,10 +32,10 @@ nftnl_expr_rt_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_RT_KEY: -- memcpy(&rt->key, data, sizeof(rt->key)); -+ memcpy(&rt->key, data, data_len); - break; - case NFTNL_EXPR_RT_DREG: -- memcpy(&rt->dreg, data, sizeof(rt->dreg)); -+ memcpy(&rt->dreg, data, data_len); - break; - } - return 0; -diff --git a/src/expr/socket.c b/src/expr/socket.c -index d0d8e23..7a25cdf 100644 ---- a/src/expr/socket.c -+++ b/src/expr/socket.c -@@ -33,13 +33,13 @@ nftnl_expr_socket_set(struct nftnl_expr *e, uint16_t type, - - switch (type) { - case NFTNL_EXPR_SOCKET_KEY: -- memcpy(&socket->key, data, sizeof(socket->key)); -+ memcpy(&socket->key, data, data_len); - break; - case NFTNL_EXPR_SOCKET_DREG: -- memcpy(&socket->dreg, data, sizeof(socket->dreg)); -+ memcpy(&socket->dreg, data, data_len); - break; - case NFTNL_EXPR_SOCKET_LEVEL: -- memcpy(&socket->level, data, sizeof(socket->level)); -+ memcpy(&socket->level, data, data_len); - break; - } - return 0; -diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c -index 898d292..97c321b 100644 ---- a/src/expr/synproxy.c -+++ b/src/expr/synproxy.c -@@ -23,13 +23,13 @@ static int nftnl_expr_synproxy_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_SYNPROXY_MSS: -- memcpy(&synproxy->mss, data, sizeof(synproxy->mss)); -+ memcpy(&synproxy->mss, data, data_len); - break; - case NFTNL_EXPR_SYNPROXY_WSCALE: -- memcpy(&synproxy->wscale, data, sizeof(synproxy->wscale)); -+ memcpy(&synproxy->wscale, data, data_len); - break; - case NFTNL_EXPR_SYNPROXY_FLAGS: -- memcpy(&synproxy->flags, data, sizeof(synproxy->flags)); -+ memcpy(&synproxy->flags, data, data_len); - break; - } - return 0; -diff --git a/src/expr/target.c b/src/expr/target.c -index 9bfd25b..8259a20 100644 ---- a/src/expr/target.c -+++ b/src/expr/target.c -@@ -46,7 +46,7 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type, - (const char *) data); - break; - case NFTNL_EXPR_TG_REV: -- memcpy(&tg->rev, data, sizeof(tg->rev)); -+ memcpy(&tg->rev, data, data_len); - break; - case NFTNL_EXPR_TG_INFO: - if (e->flags & (1 << NFTNL_EXPR_TG_INFO)) -diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c -index 4948392..9391ce8 100644 ---- a/src/expr/tproxy.c -+++ b/src/expr/tproxy.c -@@ -34,13 +34,13 @@ nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_TPROXY_FAMILY: -- memcpy(&tproxy->family, data, sizeof(tproxy->family)); -+ memcpy(&tproxy->family, data, data_len); - break; - case NFTNL_EXPR_TPROXY_REG_ADDR: -- memcpy(&tproxy->sreg_addr, data, sizeof(tproxy->sreg_addr)); -+ memcpy(&tproxy->sreg_addr, data, data_len); - break; - case NFTNL_EXPR_TPROXY_REG_PORT: -- memcpy(&tproxy->sreg_port, data, sizeof(tproxy->sreg_port)); -+ memcpy(&tproxy->sreg_port, data, data_len); - break; - } - -diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c -index 8089d0b..861e56d 100644 ---- a/src/expr/tunnel.c -+++ b/src/expr/tunnel.c -@@ -31,10 +31,10 @@ static int nftnl_expr_tunnel_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_TUNNEL_KEY: -- memcpy(&tunnel->key, data, sizeof(tunnel->key)); -+ memcpy(&tunnel->key, data, data_len); - break; - case NFTNL_EXPR_TUNNEL_DREG: -- memcpy(&tunnel->dreg, data, sizeof(tunnel->dreg)); -+ memcpy(&tunnel->dreg, data, data_len); - break; - } - return 0; -diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c -index dc867a2..2585579 100644 ---- a/src/expr/xfrm.c -+++ b/src/expr/xfrm.c -@@ -33,16 +33,16 @@ nftnl_expr_xfrm_set(struct nftnl_expr *e, uint16_t type, - - switch(type) { - case NFTNL_EXPR_XFRM_KEY: -- memcpy(&x->key, data, sizeof(x->key)); -+ memcpy(&x->key, data, data_len); - break; - case NFTNL_EXPR_XFRM_DIR: -- memcpy(&x->dir, data, sizeof(x->dir)); -+ memcpy(&x->dir, data, data_len); - break; - case NFTNL_EXPR_XFRM_SPNUM: -- memcpy(&x->spnum, data, sizeof(x->spnum)); -+ memcpy(&x->spnum, data, data_len); - break; - case NFTNL_EXPR_XFRM_DREG: -- memcpy(&x->dreg, data, sizeof(x->dreg)); -+ memcpy(&x->dreg, data, data_len); - break; - default: - return -1; diff --git a/0030-tests-Fix-objref-test-case.patch b/0030-tests-Fix-objref-test-case.patch deleted file mode 100644 index 86ee7ef..0000000 --- a/0030-tests-Fix-objref-test-case.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 9b450d7911b124884ceab1bc2df789505702d19f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 8 May 2024 22:52:28 +0200 -Subject: [PATCH] tests: Fix objref test case - -JIRA: https://issues.redhat.com/browse/RHEL-28515 -Upstream Status: libnftnl commit c2982f81e0d15fb3109112945c73b93a53e21348 - -commit c2982f81e0d15fb3109112945c73b93a53e21348 -Author: Phil Sutter -Date: Fri Dec 15 16:10:49 2023 +0100 - - tests: Fix objref test case - - Probably a c'n'p bug, the test would allocate a lookup expression - instead of the objref one to be tested. - - Fixes: b4edb4fc558ac ("expr: add stateful object reference expression") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - tests/nft-expr_objref-test.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/nft-expr_objref-test.c b/tests/nft-expr_objref-test.c -index 08e27ce..9e698df 100644 ---- a/tests/nft-expr_objref-test.c -+++ b/tests/nft-expr_objref-test.c -@@ -52,7 +52,7 @@ int main(int argc, char *argv[]) - b = nftnl_rule_alloc(); - if (a == NULL || b == NULL) - print_err("OOM"); -- ex = nftnl_expr_alloc("lookup"); -+ ex = nftnl_expr_alloc("objref"); - if (ex == NULL) - print_err("OOM"); - diff --git a/libnftnl.spec b/libnftnl.spec index 503956e..57b107d 100644 --- a/libnftnl.spec +++ b/libnftnl.spec @@ -1,5 +1,5 @@ -%define libnftnl_rpmversion 1.2.6 -%define libnftnl_specrelease 8 +%define libnftnl_rpmversion 1.2.7 +%define libnftnl_specrelease 1 Name: libnftnl Version: %{libnftnl_rpmversion} @@ -9,36 +9,6 @@ License: GPL-2.0-or-later URL: https://netfilter.org/projects/libnftnl/ Source0: %{url}/files/%{name}-%{version}.tar.xz -Patch1: 0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch -Patch2: 0002-expr-fix-buffer-overflows-in-data-value-setters.patch -Patch3: 0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch -Patch4: 0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch -Patch5: 0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch -Patch6: 0006-udata-incorrect-userdata-buffer-size-validation.patch -Patch7: 0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch -Patch8: 0008-expr-Call-expr_ops-set-with-legal-types-only.patch -Patch9: 0009-include-Sync-nf_log.h-with-kernel-headers.patch -Patch10: 0010-expr-Introduce-struct-expr_ops-attr_policy.patch -Patch11: 0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch -Patch12: 0012-chain-Validate-NFTNL_CHAIN_USE-too.patch -Patch13: 0013-table-Validate-NFTNL_TABLE_USE-too.patch -Patch14: 0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch -Patch15: 0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch -Patch16: 0016-set-Validate-NFTNL_SET_ID-too.patch -Patch17: 0017-table-Validate-NFTNL_TABLE_OWNER-too.patch -Patch18: 0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch -Patch19: 0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch -Patch20: 0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch -Patch21: 0021-object-getters-take-const-struct.patch -Patch22: 0022-obj-Return-value-on-setters.patch -Patch23: 0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch -Patch24: 0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch -Patch25: 0025-obj-Introduce-struct-obj_ops-attr_policy.patch -Patch26: 0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch -Patch27: 0027-utils-Introduce-and-use-nftnl_set_str_attr.patch -Patch28: 0028-obj-Respect-data_len-when-setting-attributes.patch -Patch29: 0029-expr-Respect-data_len-when-setting-attributes.patch -Patch30: 0030-tests-Fix-objref-test-case.patch BuildRequires: libmnl-devel BuildRequires: gcc @@ -87,6 +57,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %{_includedir}/libnftnl %changelog +* Wed Jul 17 2024 Phil Sutter [1.2.7-1.el10] +- Rebase onto version 1.2.7 (Phil Sutter) + * Tue Jul 02 2024 Phil Sutter [1.2.6-8.el10] - Sync with RHEL9 package (Phil Sutter) diff --git a/sources b/sources index 6314a58..252f6a1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libnftnl-1.2.6.tar.xz) = 0c8c369eec84b0c568f0067598bece6e3be9a0fbd977e443ae3b14a5a6d842a6086ceb5426a65f8c77204709655f148c1241193f1a928f8c12154a57e3548b34 +SHA512 (libnftnl-1.2.7.tar.xz) = 24ff3e7e97f51cb5dfda2fbd2f5e175abcec0dd58f94936022800ec356ff004a531f0915df72278b867769ba71473d407b01d52cc33a3cafb043d9a90b051f9d