rpms/libnftnl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c9
rpms:c9s
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c10s/libnftnl-1.2.8-1.el10
rpms:imports/c10s/libnftnl-1.2.7-4.el10.1
rpms:imports/c10s/libnftnl-1.2.7-4.el10
rpms:imports/c9/libnftnl-1.2.6-4.el9_4
rpms:imports/c10s/libnftnl-1.2.6-8.el10
rpms:imports/c9/libnftnl-1.2.6-2.el9
rpms:imports/c8/libnftnl-1.2.2-3.el8
rpms:imports/c8-beta/libnftnl-1.2.2-3.el8
rpms:imports/c9/libnftnl-1.2.2-1.el9
rpms:imports/c9-beta/libnftnl-1.2.2-1.el9
rpms:imports/c9/libnftnl-1.1.9-4.el9
rpms:imports/c8/libnftnl-1.1.5-5.el8
rpms:imports/c8-beta/libnftnl-1.1.5-5.el8
rpms:imports/c8s/libnftnl-1.1.5-5.el8
rpms:imports/c9-beta/libnftnl-1.1.9-4.el9
rpms:imports/c8-beta/libnftnl-1.1.5-4.el8
rpms:imports/c8-beta/libnftnl-1.1.5-2.el8
rpms:imports/c8-beta/libnftnl-1.1.1-4.el8
rpms:imports/c8s/libnftnl-1.1.5-4.el8
rpms:imports/c8/libnftnl-1.1.5-4.el8
rpms:imports/c8/libnftnl-1.1.1-4.el8
...
pull from: rpms:c9
Branches Tags
rpms:c10s
rpms:c9
rpms:c9s
rpms:c9-beta
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:imports/c10s/libnftnl-1.2.8-1.el10
rpms:imports/c10s/libnftnl-1.2.7-4.el10.1
rpms:imports/c10s/libnftnl-1.2.7-4.el10
rpms:imports/c9/libnftnl-1.2.6-4.el9_4
rpms:imports/c10s/libnftnl-1.2.6-8.el10
rpms:imports/c9/libnftnl-1.2.6-2.el9
rpms:imports/c8/libnftnl-1.2.2-3.el8
rpms:imports/c8-beta/libnftnl-1.2.2-3.el8
rpms:imports/c9/libnftnl-1.2.2-1.el9
rpms:imports/c9-beta/libnftnl-1.2.2-1.el9
rpms:imports/c9/libnftnl-1.1.9-4.el9
rpms:imports/c8/libnftnl-1.1.5-5.el8
rpms:imports/c8-beta/libnftnl-1.1.5-5.el8
rpms:imports/c8s/libnftnl-1.1.5-5.el8
rpms:imports/c9-beta/libnftnl-1.1.9-4.el9
rpms:imports/c8-beta/libnftnl-1.1.5-4.el8
rpms:imports/c8-beta/libnftnl-1.1.5-2.el8
rpms:imports/c8-beta/libnftnl-1.1.1-4.el8
rpms:imports/c8s/libnftnl-1.1.5-4.el8
rpms:imports/c8/libnftnl-1.1.5-4.el8
rpms:imports/c8/libnftnl-1.1.1-4.el8

No commits in common. "c8" and "c9" have entirely different histories.
c8 ... c9

34 changed files with 5863 additions and 125 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libnftnl-1.2.2.tar.bz2 SOURCES/libnftnl-1.2.6.tar.xz

2
.libnftnl.metadata
View File

@ -1 +1 @@
a43773c5569d6a80cd94add256bef4dd63dd7571 SOURCES/libnftnl-1.2.2.tar.bz2 aba10d5003a851fe08685df1d4ff7b60500122d0 SOURCES/libnftnl-1.2.6.tar.xz

47
SOURCES/0001-libnftnl.map-Restore-custom-LIBNFTNL_RHEL_14-version.patch
View File

@ -1,47 +0,0 @@
From 7255af8a844a1444d59023500d176c8c2fff7a62 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 28 Jun 2023 15:41:05 +0200
Subject: [PATCH] libnftnl.map: Restore custom LIBNFTNL_RHEL_14 version
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211096
Upstream Status: RHEL-only
Avoid breaking old binaries. Keep the custom version name exporting
symbol nftnl_set_elem_nlmsg_build upstream exported in LIBNFTNL_17.
---
src/libnftnl.map | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/libnftnl.map b/src/libnftnl.map
index ad8f2af060aef..26701c2984296 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -360,6 +360,10 @@ LIBNFTNL_13 {
nftnl_flowtable_set_data;
} LIBNFTNL_12;
+LIBNFTNL_RHEL_14 {
+ nftnl_set_elem_nlmsg_build;
+} LIBNFTNL_13;
+
LIBNFTNL_14 {
nftnl_udata_nest_start;
nftnl_udata_nest_end;
@@ -367,7 +371,7 @@ LIBNFTNL_14 {
nftnl_chain_get_array;
nftnl_flowtable_set_array;
nftnl_flowtable_get_array;
-} LIBNFTNL_13;
+} LIBNFTNL_RHEL_14;
LIBNFTNL_15 {
nftnl_obj_get_data;
@@ -385,5 +389,4 @@ LIBNFTNL_16 {
} LIBNFTNL_15;
LIBNFTNL_17 {
- nftnl_set_elem_nlmsg_build;
} LIBNFTNL_16;
--
2.40.0

77
SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch Normal file
View File

@ -0,0 +1,77 @@
From 64b18b08a4c7ff6baeca536100e34aacbbafa7f3 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 26 Oct 2023 18:05:02 +0200
Subject: [PATCH] set: Do not leave free'd expr_list elements in place
JIRA: https://issues.redhat.com/browse/RHEL-14149
Upstream Status: libnftnl commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9
commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9
Author: Phil Sutter <phil@nwl.cc>
Date: Wed May 31 14:09:09 2023 +0200
set: Do not leave free'd expr_list elements in place
When freeing elements, remove them also to prevent a potential UAF.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685
Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/set.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/set.c b/src/set.c
index c46f827..719e596 100644
--- a/src/set.c
+++ b/src/set.c
@@ -54,8 +54,10 @@ void nftnl_set_free(const struct nftnl_set *s)
if (s->flags & (1 << NFTNL_SET_USERDATA))
xfree(s->user.data);
- list_for_each_entry_safe(expr, next, &s->expr_list, head)
+ list_for_each_entry_safe(expr, next, &s->expr_list, head) {
+ list_del(&expr->head);
nftnl_expr_free(expr);
+ }
list_for_each_entry_safe(elem, tmp, &s->element_list, head) {
list_del(&elem->head);
@@ -105,8 +107,10 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr)
break;
case NFTNL_SET_EXPR:
case NFTNL_SET_EXPRESSIONS:
- list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
+ list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
+ list_del(&expr->head);
nftnl_expr_free(expr);
+ }
break;
default:
return;
@@ -210,8 +214,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
s->user.len = data_len;
break;
case NFTNL_SET_EXPR:
- list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
+ list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
+ list_del(&expr->head);
nftnl_expr_free(expr);
+ }
expr = (void *)data;
list_add(&expr->head, &s->expr_list);
@@ -742,8 +748,10 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s)
return 0;
out_set_expr:
- list_for_each_entry_safe(expr, next, &s->expr_list, head)
+ list_for_each_entry_safe(expr, next, &s->expr_list, head) {
+ list_del(&expr->head);
nftnl_expr_free(expr);
+ }
return -1;
}

144
SOURCES/0002-expr-fix-buffer-overflows-in-data-value-setters.patch Normal file
View File

@ -0,0 +1,144 @@
From b88949c0d64c96683e581cbefada07de4c83eff9 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] expr: fix buffer overflows in data value setters
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit bc2afbde9eae491bcef23ef5b24b25c7605ad911
commit bc2afbde9eae491bcef23ef5b24b25c7605ad911
Author: Florian Westphal <fw@strlen.de>
Date: Tue Dec 12 15:01:17 2023 +0100
expr: fix buffer overflows in data value setters
The data value setters memcpy() to a fixed-size buffer, but its very easy
to make nft pass too-larger values. Example:
@th,160,1272 gt 0
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..]
Truncate the copy instead of corrupting the heap.
This needs additional fixes on nft side to reject such statements with a
proper error message.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/data_reg.h | 2 ++
src/expr/bitwise.c | 12 +++---------
src/expr/cmp.c | 4 +---
src/expr/data_reg.c | 14 ++++++++++++++
src/expr/immediate.c | 4 +---
src/expr/range.c | 8 ++------
6 files changed, 23 insertions(+), 21 deletions(-)
diff --git a/include/data_reg.h b/include/data_reg.h
index 6d2dc66..5ee7080 100644
--- a/include/data_reg.h
+++ b/include/data_reg.h
@@ -37,4 +37,6 @@ struct nlattr;
int nftnl_parse_data(union nftnl_data_reg *data, struct nlattr *attr, int *type);
void nftnl_free_verdict(const union nftnl_data_reg *data);
+int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len);
+
#endif
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index 2d27233..e5dba82 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -51,17 +51,11 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type,
memcpy(&bitwise->len, data, sizeof(bitwise->len));
break;
case NFTNL_EXPR_BITWISE_MASK:
- memcpy(&bitwise->mask.val, data, data_len);
- bitwise->mask.len = data_len;
- break;
+ return nftnl_data_cpy(&bitwise->mask, data, data_len);
case NFTNL_EXPR_BITWISE_XOR:
- memcpy(&bitwise->xor.val, data, data_len);
- bitwise->xor.len = data_len;
- break;
+ return nftnl_data_cpy(&bitwise->xor, data, data_len);
case NFTNL_EXPR_BITWISE_DATA:
- memcpy(&bitwise->data.val, data, data_len);
- bitwise->data.len = data_len;
- break;
+ return nftnl_data_cpy(&bitwise->data, data, data_len);
default:
return -1;
}
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index f9d15bb..1d396e8 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -42,9 +42,7 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type,
memcpy(&cmp->op, data, sizeof(cmp->op));
break;
case NFTNL_EXPR_CMP_DATA:
- memcpy(&cmp->data.val, data, data_len);
- cmp->data.len = data_len;
- break;
+ return nftnl_data_cpy(&cmp->data, data, data_len);
default:
return -1;
}
diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index 2633a77..690b23d 100644
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -217,3 +217,17 @@ void nftnl_free_verdict(const union nftnl_data_reg *data)
break;
}
}
+
+int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len)
+{
+ int ret = 0;
+
+ if (len > sizeof(dreg->val)) {
+ len = sizeof(dreg->val);
+ ret = -1;
+ }
+
+ memcpy(dreg->val, src, len);
+ dreg->len = len;
+ return ret;
+}
diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index 5d477a8..f56aa8f 100644
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -36,9 +36,7 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type,
memcpy(&imm->dreg, data, sizeof(imm->dreg));
break;
case NFTNL_EXPR_IMM_DATA:
- memcpy(&imm->data.val, data, data_len);
- imm->data.len = data_len;
- break;
+ return nftnl_data_cpy(&imm->data, data, data_len);
case NFTNL_EXPR_IMM_VERDICT:
memcpy(&imm->data.verdict, data, sizeof(imm->data.verdict));
break;
diff --git a/src/expr/range.c b/src/expr/range.c
index 473add8..5a30e48 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -40,13 +40,9 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type,
memcpy(&range->op, data, sizeof(range->op));
break;
case NFTNL_EXPR_RANGE_FROM_DATA:
- memcpy(&range->data_from.val, data, data_len);
- range->data_from.len = data_len;
- break;
+ return nftnl_data_cpy(&range->data_from, data, data_len);
case NFTNL_EXPR_RANGE_TO_DATA:
- memcpy(&range->data_to.val, data, data_len);
- range->data_to.len = data_len;
- break;
+ return nftnl_data_cpy(&range->data_to, data, data_len);
default:
return -1;
}

46
SOURCES/0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch Normal file
View File

@ -0,0 +1,46 @@
From 0d1d0bc545fdf355e19556153c3bb50d3bca29af Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 407f616ea53184ac3bfb9930d3f27ae1cff9c348
commit 407f616ea53184ac3bfb9930d3f27ae1cff9c348
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu Jan 11 01:13:37 2024 +0100
set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
the array boundary.
Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/set.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/set.c b/src/set.c
index 719e596..b51ff9e 100644
--- a/src/set.c
+++ b/src/set.c
@@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
memcpy(&s->desc.size, data, sizeof(s->desc.size));
break;
case NFTNL_SET_DESC_CONCAT:
+ if (data_len > sizeof(s->desc.field_len))
+ return -1;
+
memcpy(&s->desc.field_len, data, data_len);
- while (s->desc.field_len[++s->desc.field_count]);
+ while (s->desc.field_len[++s->desc.field_count]) {
+ if (s->desc.field_count >= NFT_REG32_COUNT)
+ break;
+ }
break;
case NFTNL_SET_TIMEOUT:
memcpy(&s->timeout, data, sizeof(s->timeout));

60
SOURCES/0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch Normal file
View File

@ -0,0 +1,60 @@
From aecf2107e075bc45e584badf1c67c0badfd116a5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] set_elem: use nftnl_data_cpy() in
NFTNL_SET_ELEM_{KEY,KEY_END,DATA}
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 974af82c0bb0bc5958ccd759bd3a0f2bddbc8d83
commit 974af82c0bb0bc5958ccd759bd3a0f2bddbc8d83
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri Jan 12 12:33:38 2024 +0100
set_elem: use nftnl_data_cpy() in NFTNL_SET_ELEM_{KEY,KEY_END,DATA}
Use safe nftnl_data_cpy() to copy key into union nftnl_data_reg.
Follow up for commit:
bc2afbde9eae ("expr: fix buffer overflows in data value setters")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/set_elem.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/set_elem.c b/src/set_elem.c
index 884faff..9207a0d 100644
--- a/src/set_elem.c
+++ b/src/set_elem.c
@@ -126,12 +126,12 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr,
memcpy(&s->set_elem_flags, data, sizeof(s->set_elem_flags));
break;
case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */
- memcpy(&s->key.val, data, data_len);
- s->key.len = data_len;
+ if (nftnl_data_cpy(&s->key, data, data_len) < 0)
+ return -1;
break;
case NFTNL_SET_ELEM_KEY_END: /* NFTA_SET_ELEM_KEY_END */
- memcpy(&s->key_end.val, data, data_len);
- s->key_end.len = data_len;
+ if (nftnl_data_cpy(&s->key_end, data, data_len) < 0)
+ return -1;
break;
case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */
memcpy(&s->data.verdict, data, sizeof(s->data.verdict));
@@ -145,8 +145,8 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr,
return -1;
break;
case NFTNL_SET_ELEM_DATA: /* NFTA_SET_ELEM_DATA */
- memcpy(s->data.val, data, data_len);
- s->data.len = data_len;
+ if (nftnl_data_cpy(&s->data, data, data_len) < 0)
+ return -1;
break;
case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */
memcpy(&s->timeout, data, sizeof(s->timeout));

72
SOURCES/0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch Normal file
View File

@ -0,0 +1,72 @@
From ec6136e9d14c36daf6c59fc99c051ed3ac4cd0f2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] obj: ct_timeout: setter checks for timeout array boundaries
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 7e6a10e4a57aaf72c74c21d2ed7d2be8289d0f6f
commit 7e6a10e4a57aaf72c74c21d2ed7d2be8289d0f6f
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu Jan 25 17:34:40 2024 +0100
obj: ct_timeout: setter checks for timeout array boundaries
Use _MAX definitions for timeout attribute arrays and check that
timeout array is not larger than NFTNL_CTTIMEOUT_ARRAY_MAX.
Fixes: 0adceeab1597 ("src: add ct timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/obj/ct_timeout.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
index 65b48bd..fedf9e3 100644
--- a/src/obj/ct_timeout.c
+++ b/src/obj/ct_timeout.c
@@ -21,7 +21,7 @@
#include "obj.h"
-static const char *const tcp_state_to_name[] = {
+static const char *const tcp_state_to_name[NFTNL_CTTIMEOUT_TCP_MAX] = {
[NFTNL_CTTIMEOUT_TCP_SYN_SENT] = "SYN_SENT",
[NFTNL_CTTIMEOUT_TCP_SYN_RECV] = "SYN_RECV",
[NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = "ESTABLISHED",
@@ -35,7 +35,7 @@ static const char *const tcp_state_to_name[] = {
[NFTNL_CTTIMEOUT_TCP_UNACK] = "UNACKNOWLEDGED",
};
-static uint32_t tcp_dflt_timeout[] = {
+static uint32_t tcp_dflt_timeout[NFTNL_CTTIMEOUT_TCP_MAX] = {
[NFTNL_CTTIMEOUT_TCP_SYN_SENT] = 120,
[NFTNL_CTTIMEOUT_TCP_SYN_RECV] = 60,
[NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = 432000,
@@ -49,12 +49,12 @@ static uint32_t tcp_dflt_timeout[] = {
[NFTNL_CTTIMEOUT_TCP_UNACK] = 300,
};
-static const char *const udp_state_to_name[] = {
+static const char *const udp_state_to_name[NFTNL_CTTIMEOUT_UDP_MAX] = {
[NFTNL_CTTIMEOUT_UDP_UNREPLIED] = "UNREPLIED",
[NFTNL_CTTIMEOUT_UDP_REPLIED] = "REPLIED",
};
-static uint32_t udp_dflt_timeout[] = {
+static uint32_t udp_dflt_timeout[NFTNL_CTTIMEOUT_UDP_MAX] = {
[NFTNL_CTTIMEOUT_UDP_UNREPLIED] = 30,
[NFTNL_CTTIMEOUT_UDP_REPLIED] = 180,
};
@@ -156,6 +156,9 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type,
memcpy(&timeout->l4proto, data, sizeof(timeout->l4proto));
break;
case NFTNL_OBJ_CT_TIMEOUT_ARRAY:
+ if (data_len < sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX)
+ return -1;
+
memcpy(timeout->timeout, data,
sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX);
break;

51
SOURCES/0006-udata-incorrect-userdata-buffer-size-validation.patch Normal file
View File

@ -0,0 +1,51 @@
From f0cae2477f6e2292f315c1480c4a08d811dcb977 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] udata: incorrect userdata buffer size validation
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit a4bcdfa6200ef1945a8f936a4474b59666c8dcca
commit a4bcdfa6200ef1945a8f936a4474b59666c8dcca
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon Feb 26 17:31:19 2024 +0100
udata: incorrect userdata buffer size validation
Use the current remaining space in the buffer to ensure more userdata
attributes still fit in, buf->size is the total size of the userdata
buffer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/udata.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/udata.c b/src/udata.c
index 0cc3520..e9bfc35 100644
--- a/src/udata.c
+++ b/src/udata.c
@@ -42,6 +42,11 @@ uint32_t nftnl_udata_buf_len(const struct nftnl_udata_buf *buf)
return (uint32_t)(buf->end - buf->data);
}
+static uint32_t nftnl_udata_buf_space(const struct nftnl_udata_buf *buf)
+{
+ return buf->size - nftnl_udata_buf_len(buf);
+}
+
EXPORT_SYMBOL(nftnl_udata_buf_data);
void *nftnl_udata_buf_data(const struct nftnl_udata_buf *buf)
{
@@ -74,7 +79,8 @@ bool nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len,
{
struct nftnl_udata *attr;
- if (len > UINT8_MAX || buf->size < len + sizeof(struct nftnl_udata))
+ if (len > UINT8_MAX ||
+ nftnl_udata_buf_space(buf) < len + sizeof(struct nftnl_udata))
return false;
attr = (struct nftnl_udata *)buf->end;

872
SOURCES/0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch Normal file
View File

@ -0,0 +1,872 @@
From d131ee36bcd2ff923f8678bea6f8bc6dfe6da7bb Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] expr: Repurpose struct expr_ops::max_attr field
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 4ed45d7bbbb9f914c934af327ee0271bcc909302
commit 4ed45d7bbbb9f914c934af327ee0271bcc909302
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Dec 13 14:56:49 2023 +0100
expr: Repurpose struct expr_ops::max_attr field
Instead of holding the maximum kernel space (NFTA_*) attribute value,
use it to hold the maximum expression attribute (NFTNL_EXPR_*) value
instead. This will be used for index boundary checks in an attribute
policy array later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/expr_ops.h | 2 +-
include/libnftnl/expr.h | 39 +++++++++++++++++++++++++++++++++++++++
src/expr/bitwise.c | 2 +-
src/expr/byteorder.c | 2 +-
src/expr/cmp.c | 2 +-
src/expr/connlimit.c | 2 +-
src/expr/counter.c | 2 +-
src/expr/ct.c | 2 +-
src/expr/dup.c | 2 +-
src/expr/dynset.c | 2 +-
src/expr/exthdr.c | 2 +-
src/expr/fib.c | 2 +-
src/expr/flow_offload.c | 2 +-
src/expr/fwd.c | 2 +-
src/expr/hash.c | 2 +-
src/expr/immediate.c | 2 +-
src/expr/inner.c | 2 +-
src/expr/last.c | 2 +-
src/expr/limit.c | 2 +-
src/expr/log.c | 2 +-
src/expr/lookup.c | 2 +-
src/expr/masq.c | 2 +-
src/expr/match.c | 2 +-
src/expr/meta.c | 2 +-
src/expr/nat.c | 2 +-
src/expr/numgen.c | 2 +-
src/expr/objref.c | 2 +-
src/expr/osf.c | 2 +-
src/expr/payload.c | 2 +-
src/expr/queue.c | 2 +-
src/expr/quota.c | 2 +-
src/expr/range.c | 2 +-
src/expr/redir.c | 2 +-
src/expr/reject.c | 2 +-
src/expr/rt.c | 2 +-
src/expr/socket.c | 2 +-
src/expr/synproxy.c | 2 +-
src/expr/target.c | 2 +-
src/expr/tproxy.c | 2 +-
src/expr/tunnel.c | 2 +-
src/expr/xfrm.c | 2 +-
41 files changed, 79 insertions(+), 40 deletions(-)
diff --git a/include/expr_ops.h b/include/expr_ops.h
index a7d747a..51b2214 100644
--- a/include/expr_ops.h
+++ b/include/expr_ops.h
@@ -11,7 +11,7 @@ struct nftnl_expr;
struct expr_ops {
const char *name;
uint32_t alloc_len;
- int max_attr;
+ int nftnl_max_attr;
void (*init)(const struct nftnl_expr *e);
void (*free)(const struct nftnl_expr *e);
int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len);
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 9873228..fba1210 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -56,6 +56,7 @@ enum {
NFTNL_EXPR_PAYLOAD_CSUM_TYPE,
NFTNL_EXPR_PAYLOAD_CSUM_OFFSET,
NFTNL_EXPR_PAYLOAD_FLAGS,
+ __NFTNL_EXPR_PAYLOAD_MAX
};
enum {
@@ -65,34 +66,40 @@ enum {
NFTNL_EXPR_NG_OFFSET,
NFTNL_EXPR_NG_SET_NAME, /* deprecated */
NFTNL_EXPR_NG_SET_ID, /* deprecated */
+ __NFTNL_EXPR_NG_MAX
};
enum {
NFTNL_EXPR_META_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_META_DREG,
NFTNL_EXPR_META_SREG,
+ __NFTNL_EXPR_META_MAX
};
enum {
NFTNL_EXPR_RT_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_RT_DREG,
+ __NFTNL_EXPR_RT_MAX
};
enum {
NFTNL_EXPR_SOCKET_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_SOCKET_DREG,
NFTNL_EXPR_SOCKET_LEVEL,
+ __NFTNL_EXPR_SOCKET_MAX
};
enum {
NFTNL_EXPR_TUNNEL_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_TUNNEL_DREG,
+ __NFTNL_EXPR_TUNNEL_MAX
};
enum {
NFTNL_EXPR_CMP_SREG = NFTNL_EXPR_BASE,
NFTNL_EXPR_CMP_OP,
NFTNL_EXPR_CMP_DATA,
+ __NFTNL_EXPR_CMP_MAX
};
enum {
@@ -100,6 +107,7 @@ enum {
NFTNL_EXPR_RANGE_OP,
NFTNL_EXPR_RANGE_FROM_DATA,
NFTNL_EXPR_RANGE_TO_DATA,
+ __NFTNL_EXPR_RANGE_MAX
};
enum {
@@ -108,16 +116,19 @@ enum {
NFTNL_EXPR_IMM_VERDICT,
NFTNL_EXPR_IMM_CHAIN,
NFTNL_EXPR_IMM_CHAIN_ID,
+ __NFTNL_EXPR_IMM_MAX
};
enum {
NFTNL_EXPR_CTR_PACKETS = NFTNL_EXPR_BASE,
NFTNL_EXPR_CTR_BYTES,
+ __NFTNL_EXPR_CTR_MAX
};
enum {
NFTNL_EXPR_CONNLIMIT_COUNT = NFTNL_EXPR_BASE,
NFTNL_EXPR_CONNLIMIT_FLAGS,
+ __NFTNL_EXPR_CONNLIMIT_MAX
};
enum {
@@ -128,18 +139,21 @@ enum {
NFTNL_EXPR_BITWISE_XOR,
NFTNL_EXPR_BITWISE_OP,
NFTNL_EXPR_BITWISE_DATA,
+ __NFTNL_EXPR_BITWISE_MAX
};
enum {
NFTNL_EXPR_TG_NAME = NFTNL_EXPR_BASE,
NFTNL_EXPR_TG_REV,
NFTNL_EXPR_TG_INFO,
+ __NFTNL_EXPR_TG_MAX
};
enum {
NFTNL_EXPR_MT_NAME = NFTNL_EXPR_BASE,
NFTNL_EXPR_MT_REV,
NFTNL_EXPR_MT_INFO,
+ __NFTNL_EXPR_MT_MAX
};
enum {
@@ -150,12 +164,14 @@ enum {
NFTNL_EXPR_NAT_REG_PROTO_MIN,
NFTNL_EXPR_NAT_REG_PROTO_MAX,
NFTNL_EXPR_NAT_FLAGS,
+ __NFTNL_EXPR_NAT_MAX
};
enum {
NFTNL_EXPR_TPROXY_FAMILY = NFTNL_EXPR_BASE,
NFTNL_EXPR_TPROXY_REG_ADDR,
NFTNL_EXPR_TPROXY_REG_PORT,
+ __NFTNL_EXPR_TPROXY_MAX
};
enum {
@@ -164,6 +180,7 @@ enum {
NFTNL_EXPR_LOOKUP_SET,
NFTNL_EXPR_LOOKUP_SET_ID,
NFTNL_EXPR_LOOKUP_FLAGS,
+ __NFTNL_EXPR_LOOKUP_MAX
};
enum {
@@ -176,6 +193,7 @@ enum {
NFTNL_EXPR_DYNSET_EXPR,
NFTNL_EXPR_DYNSET_EXPRESSIONS,
NFTNL_EXPR_DYNSET_FLAGS,
+ __NFTNL_EXPR_DYNSET_MAX
};
enum {
@@ -185,6 +203,7 @@ enum {
NFTNL_EXPR_LOG_QTHRESHOLD,
NFTNL_EXPR_LOG_LEVEL,
NFTNL_EXPR_LOG_FLAGS,
+ __NFTNL_EXPR_LOG_MAX
};
enum {
@@ -195,6 +214,7 @@ enum {
NFTNL_EXPR_EXTHDR_FLAGS,
NFTNL_EXPR_EXTHDR_OP,
NFTNL_EXPR_EXTHDR_SREG,
+ __NFTNL_EXPR_EXTHDR_MAX
};
enum {
@@ -202,6 +222,7 @@ enum {
NFTNL_EXPR_CT_KEY,
NFTNL_EXPR_CT_DIR,
NFTNL_EXPR_CT_SREG,
+ __NFTNL_EXPR_CT_MAX
};
enum {
@@ -210,6 +231,7 @@ enum {
NFTNL_EXPR_BYTEORDER_OP,
NFTNL_EXPR_BYTEORDER_LEN,
NFTNL_EXPR_BYTEORDER_SIZE,
+ __NFTNL_EXPR_BYTEORDER_MAX
};
enum {
@@ -218,11 +240,13 @@ enum {
NFTNL_EXPR_LIMIT_BURST,
NFTNL_EXPR_LIMIT_TYPE,
NFTNL_EXPR_LIMIT_FLAGS,
+ __NFTNL_EXPR_LIMIT_MAX
};
enum {
NFTNL_EXPR_REJECT_TYPE = NFTNL_EXPR_BASE,
NFTNL_EXPR_REJECT_CODE,
+ __NFTNL_EXPR_REJECT_MAX
};
enum {
@@ -230,39 +254,46 @@ enum {
NFTNL_EXPR_QUEUE_TOTAL,
NFTNL_EXPR_QUEUE_FLAGS,
NFTNL_EXPR_QUEUE_SREG_QNUM,
+ __NFTNL_EXPR_QUEUE_MAX
};
enum {
NFTNL_EXPR_QUOTA_BYTES = NFTNL_EXPR_BASE,
NFTNL_EXPR_QUOTA_FLAGS,
NFTNL_EXPR_QUOTA_CONSUMED,
+ __NFTNL_EXPR_QUOTA_MAX
};
enum {
NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE,
NFTNL_EXPR_MASQ_REG_PROTO_MIN,
NFTNL_EXPR_MASQ_REG_PROTO_MAX,
+ __NFTNL_EXPR_MASQ_MAX
};
enum {
NFTNL_EXPR_REDIR_REG_PROTO_MIN = NFTNL_EXPR_BASE,
NFTNL_EXPR_REDIR_REG_PROTO_MAX,
NFTNL_EXPR_REDIR_FLAGS,
+ __NFTNL_EXPR_REDIR_MAX
};
enum {
NFTNL_EXPR_DUP_SREG_ADDR = NFTNL_EXPR_BASE,
NFTNL_EXPR_DUP_SREG_DEV,
+ __NFTNL_EXPR_DUP_MAX
};
enum {
NFTNL_EXPR_FLOW_TABLE_NAME = NFTNL_EXPR_BASE,
+ __NFTNL_EXPR_FLOW_MAX
};
enum {
NFTNL_EXPR_FWD_SREG_DEV = NFTNL_EXPR_BASE,
NFTNL_EXPR_FWD_SREG_ADDR,
NFTNL_EXPR_FWD_NFPROTO,
+ __NFTNL_EXPR_FWD_MAX
};
enum {
@@ -275,12 +306,14 @@ enum {
NFTNL_EXPR_HASH_TYPE,
NFTNL_EXPR_HASH_SET_NAME, /* deprecated */
NFTNL_EXPR_HASH_SET_ID, /* deprecated */
+ __NFTNL_EXPR_HASH_MAX
};
enum {
NFTNL_EXPR_FIB_DREG = NFTNL_EXPR_BASE,
NFTNL_EXPR_FIB_RESULT,
NFTNL_EXPR_FIB_FLAGS,
+ __NFTNL_EXPR_FIB_MAX
};
enum {
@@ -289,12 +322,14 @@ enum {
NFTNL_EXPR_OBJREF_SET_SREG,
NFTNL_EXPR_OBJREF_SET_NAME,
NFTNL_EXPR_OBJREF_SET_ID,
+ __NFTNL_EXPR_OBJREF_MAX
};
enum {
NFTNL_EXPR_OSF_DREG = NFTNL_EXPR_BASE,
NFTNL_EXPR_OSF_TTL,
NFTNL_EXPR_OSF_FLAGS,
+ __NFTNL_EXPR_OSF_MAX
};
enum {
@@ -303,17 +338,20 @@ enum {
NFTNL_EXPR_XFRM_KEY,
NFTNL_EXPR_XFRM_DIR,
NFTNL_EXPR_XFRM_SPNUM,
+ __NFTNL_EXPR_XFRM_MAX
};
enum {
NFTNL_EXPR_SYNPROXY_MSS = NFTNL_EXPR_BASE,
NFTNL_EXPR_SYNPROXY_WSCALE,
NFTNL_EXPR_SYNPROXY_FLAGS,
+ __NFTNL_EXPR_SYNPROXY_MAX
};
enum {
NFTNL_EXPR_LAST_MSECS = NFTNL_EXPR_BASE,
NFTNL_EXPR_LAST_SET,
+ __NFTNL_EXPR_LAST_MAX
};
enum {
@@ -321,6 +359,7 @@ enum {
NFTNL_EXPR_INNER_FLAGS,
NFTNL_EXPR_INNER_HDRSIZE,
NFTNL_EXPR_INNER_EXPR,
+ __NFTNL_EXPR_INNER_MAX
};
#ifdef __cplusplus
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index e5dba82..69efe1d 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -271,7 +271,7 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size,
struct expr_ops expr_ops_bitwise = {
.name = "bitwise",
.alloc_len = sizeof(struct nftnl_expr_bitwise),
- .max_attr = NFTA_BITWISE_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1,
.set = nftnl_expr_bitwise_set,
.get = nftnl_expr_bitwise_get,
.parse = nftnl_expr_bitwise_parse,
diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c
index 89ed0a8..f05ae59 100644
--- a/src/expr/byteorder.c
+++ b/src/expr/byteorder.c
@@ -215,7 +215,7 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_byteorder = {
.name = "byteorder",
.alloc_len = sizeof(struct nftnl_expr_byteorder),
- .max_attr = NFTA_BYTEORDER_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1,
.set = nftnl_expr_byteorder_set,
.get = nftnl_expr_byteorder_get,
.parse = nftnl_expr_byteorder_parse,
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index 1d396e8..40431fa 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -195,7 +195,7 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_cmp = {
.name = "cmp",
.alloc_len = sizeof(struct nftnl_expr_cmp),
- .max_attr = NFTA_CMP_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1,
.set = nftnl_expr_cmp_set,
.get = nftnl_expr_cmp_get,
.parse = nftnl_expr_cmp_parse,
diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c
index 549417b..3b6c36c 100644
--- a/src/expr/connlimit.c
+++ b/src/expr/connlimit.c
@@ -130,7 +130,7 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_connlimit = {
.name = "connlimit",
.alloc_len = sizeof(struct nftnl_expr_connlimit),
- .max_attr = NFTA_CONNLIMIT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1,
.set = nftnl_expr_connlimit_set,
.get = nftnl_expr_connlimit_get,
.parse = nftnl_expr_connlimit_parse,
diff --git a/src/expr/counter.c b/src/expr/counter.c
index d139a5f..0595d50 100644
--- a/src/expr/counter.c
+++ b/src/expr/counter.c
@@ -128,7 +128,7 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_counter = {
.name = "counter",
.alloc_len = sizeof(struct nftnl_expr_counter),
- .max_attr = NFTA_COUNTER_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1,
.set = nftnl_expr_counter_set,
.get = nftnl_expr_counter_get,
.parse = nftnl_expr_counter_parse,
diff --git a/src/expr/ct.c b/src/expr/ct.c
index f4a2aea..36b61fd 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -253,7 +253,7 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_ct = {
.name = "ct",
.alloc_len = sizeof(struct nftnl_expr_ct),
- .max_attr = NFTA_CT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1,
.set = nftnl_expr_ct_set,
.get = nftnl_expr_ct_get,
.parse = nftnl_expr_ct_parse,
diff --git a/src/expr/dup.c b/src/expr/dup.c
index a239ff3..33731cc 100644
--- a/src/expr/dup.c
+++ b/src/expr/dup.c
@@ -133,7 +133,7 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_dup = {
.name = "dup",
.alloc_len = sizeof(struct nftnl_expr_dup),
- .max_attr = NFTA_DUP_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1,
.set = nftnl_expr_dup_set,
.get = nftnl_expr_dup_get,
.parse = nftnl_expr_dup_parse,
diff --git a/src/expr/dynset.c b/src/expr/dynset.c
index 5bcf1c6..ee6ce1e 100644
--- a/src/expr/dynset.c
+++ b/src/expr/dynset.c
@@ -366,7 +366,7 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_dynset = {
.name = "dynset",
.alloc_len = sizeof(struct nftnl_expr_dynset),
- .max_attr = NFTA_DYNSET_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1,
.init = nftnl_expr_dynset_init,
.free = nftnl_expr_dynset_free,
.set = nftnl_expr_dynset_set,
diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index 739c7ff..a1227a6 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -262,7 +262,7 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_exthdr = {
.name = "exthdr",
.alloc_len = sizeof(struct nftnl_expr_exthdr),
- .max_attr = NFTA_EXTHDR_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1,
.set = nftnl_expr_exthdr_set,
.get = nftnl_expr_exthdr_get,
.parse = nftnl_expr_exthdr_parse,
diff --git a/src/expr/fib.c b/src/expr/fib.c
index 957f929..36637bd 100644
--- a/src/expr/fib.c
+++ b/src/expr/fib.c
@@ -193,7 +193,7 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_fib = {
.name = "fib",
.alloc_len = sizeof(struct nftnl_expr_fib),
- .max_attr = NFTA_FIB_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1,
.set = nftnl_expr_fib_set,
.get = nftnl_expr_fib_get,
.parse = nftnl_expr_fib_parse,
diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c
index 4fc0563..f604712 100644
--- a/src/expr/flow_offload.c
+++ b/src/expr/flow_offload.c
@@ -114,7 +114,7 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_flow = {
.name = "flow_offload",
.alloc_len = sizeof(struct nftnl_expr_flow),
- .max_attr = NFTA_FLOW_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1,
.free = nftnl_expr_flow_free,
.set = nftnl_expr_flow_set,
.get = nftnl_expr_flow_get,
diff --git a/src/expr/fwd.c b/src/expr/fwd.c
index 51f6612..3aaf328 100644
--- a/src/expr/fwd.c
+++ b/src/expr/fwd.c
@@ -153,7 +153,7 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_fwd = {
.name = "fwd",
.alloc_len = sizeof(struct nftnl_expr_fwd),
- .max_attr = NFTA_FWD_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1,
.set = nftnl_expr_fwd_set,
.get = nftnl_expr_fwd_get,
.parse = nftnl_expr_fwd_parse,
diff --git a/src/expr/hash.c b/src/expr/hash.c
index 6e2dd19..1fc72ec 100644
--- a/src/expr/hash.c
+++ b/src/expr/hash.c
@@ -221,7 +221,7 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_hash = {
.name = "hash",
.alloc_len = sizeof(struct nftnl_expr_hash),
- .max_attr = NFTA_HASH_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1,
.set = nftnl_expr_hash_set,
.get = nftnl_expr_hash_get,
.parse = nftnl_expr_hash_parse,
diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index f56aa8f..d60ca32 100644
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -221,7 +221,7 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_immediate = {
.name = "immediate",
.alloc_len = sizeof(struct nftnl_expr_immediate),
- .max_attr = NFTA_IMMEDIATE_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1,
.free = nftnl_expr_immediate_free,
.set = nftnl_expr_immediate_set,
.get = nftnl_expr_immediate_get,
diff --git a/src/expr/inner.c b/src/expr/inner.c
index 7daae4f..cb6f607 100644
--- a/src/expr/inner.c
+++ b/src/expr/inner.c
@@ -204,7 +204,7 @@ nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags,
struct expr_ops expr_ops_inner = {
.name = "inner",
.alloc_len = sizeof(struct nftnl_expr_inner),
- .max_attr = NFTA_INNER_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1,
.free = nftnl_expr_inner_free,
.set = nftnl_expr_inner_set,
.get = nftnl_expr_inner_get,
diff --git a/src/expr/last.c b/src/expr/last.c
index 641b713..273aaa1 100644
--- a/src/expr/last.c
+++ b/src/expr/last.c
@@ -129,7 +129,7 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_last = {
.name = "last",
.alloc_len = sizeof(struct nftnl_expr_last),
- .max_attr = NFTA_LAST_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1,
.set = nftnl_expr_last_set,
.get = nftnl_expr_last_get,
.parse = nftnl_expr_last_parse,
diff --git a/src/expr/limit.c b/src/expr/limit.c
index 1870e0e..a1f9eac 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -197,7 +197,7 @@ nftnl_expr_limit_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_limit = {
.name = "limit",
.alloc_len = sizeof(struct nftnl_expr_limit),
- .max_attr = NFTA_LIMIT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1,
.set = nftnl_expr_limit_set,
.get = nftnl_expr_limit_get,
.parse = nftnl_expr_limit_parse,
diff --git a/src/expr/log.c b/src/expr/log.c
index 180d839..6df030d 100644
--- a/src/expr/log.c
+++ b/src/expr/log.c
@@ -247,7 +247,7 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_log = {
.name = "log",
.alloc_len = sizeof(struct nftnl_expr_log),
- .max_attr = NFTA_LOG_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1,
.free = nftnl_expr_log_free,
.set = nftnl_expr_log_set,
.get = nftnl_expr_log_get,
diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index a06c338..8b23081 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup.c
@@ -200,7 +200,7 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_lookup = {
.name = "lookup",
.alloc_len = sizeof(struct nftnl_expr_lookup),
- .max_attr = NFTA_LOOKUP_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1,
.free = nftnl_expr_lookup_free,
.set = nftnl_expr_lookup_set,
.get = nftnl_expr_lookup_get,
diff --git a/src/expr/masq.c b/src/expr/masq.c
index e6e528d..a103cc3 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -158,7 +158,7 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_masq = {
.name = "masq",
.alloc_len = sizeof(struct nftnl_expr_masq),
- .max_attr = NFTA_MASQ_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1,
.set = nftnl_expr_masq_set,
.get = nftnl_expr_masq_get,
.parse = nftnl_expr_masq_parse,
diff --git a/src/expr/match.c b/src/expr/match.c
index f472add..eed85db 100644
--- a/src/expr/match.c
+++ b/src/expr/match.c
@@ -183,7 +183,7 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_match = {
.name = "match",
.alloc_len = sizeof(struct nftnl_expr_match),
- .max_attr = NFTA_MATCH_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1,
.free = nftnl_expr_match_free,
.set = nftnl_expr_match_set,
.get = nftnl_expr_match_get,
diff --git a/src/expr/meta.c b/src/expr/meta.c
index 183f441..f86fdff 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -212,7 +212,7 @@ nftnl_expr_meta_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_meta = {
.name = "meta",
.alloc_len = sizeof(struct nftnl_expr_meta),
- .max_attr = NFTA_META_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1,
.set = nftnl_expr_meta_set,
.get = nftnl_expr_meta_get,
.parse = nftnl_expr_meta_parse,
diff --git a/src/expr/nat.c b/src/expr/nat.c
index ca727be..1d10bc1 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -269,7 +269,7 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_nat = {
.name = "nat",
.alloc_len = sizeof(struct nftnl_expr_nat),
- .max_attr = NFTA_NAT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1,
.set = nftnl_expr_nat_set,
.get = nftnl_expr_nat_get,
.parse = nftnl_expr_nat_parse,
diff --git a/src/expr/numgen.c b/src/expr/numgen.c
index d4020a6..3e83e05 100644
--- a/src/expr/numgen.c
+++ b/src/expr/numgen.c
@@ -175,7 +175,7 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_ng = {
.name = "numgen",
.alloc_len = sizeof(struct nftnl_expr_ng),
- .max_attr = NFTA_NG_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1,
.set = nftnl_expr_ng_set,
.get = nftnl_expr_ng_get,
.parse = nftnl_expr_ng_parse,
diff --git a/src/expr/objref.c b/src/expr/objref.c
index ad0688f..e96bd69 100644
--- a/src/expr/objref.c
+++ b/src/expr/objref.c
@@ -199,7 +199,7 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_objref = {
.name = "objref",
.alloc_len = sizeof(struct nftnl_expr_objref),
- .max_attr = NFTA_OBJREF_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1,
.free = nftnl_expr_objref_free,
.set = nftnl_expr_objref_set,
.get = nftnl_expr_objref_get,
diff --git a/src/expr/osf.c b/src/expr/osf.c
index f15a722..3838af7 100644
--- a/src/expr/osf.c
+++ b/src/expr/osf.c
@@ -142,7 +142,7 @@ nftnl_expr_osf_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_osf = {
.name = "osf",
.alloc_len = sizeof(struct nftnl_expr_osf),
- .max_attr = NFTA_OSF_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1,
.set = nftnl_expr_osf_set,
.get = nftnl_expr_osf_get,
.parse = nftnl_expr_osf_parse,
diff --git a/src/expr/payload.c b/src/expr/payload.c
index c633e33..f603662 100644
--- a/src/expr/payload.c
+++ b/src/expr/payload.c
@@ -241,7 +241,7 @@ nftnl_expr_payload_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_payload = {
.name = "payload",
.alloc_len = sizeof(struct nftnl_expr_payload),
- .max_attr = NFTA_PAYLOAD_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1,
.set = nftnl_expr_payload_set,
.get = nftnl_expr_payload_get,
.parse = nftnl_expr_payload_parse,
diff --git a/src/expr/queue.c b/src/expr/queue.c
index de287f2..fba65d1 100644
--- a/src/expr/queue.c
+++ b/src/expr/queue.c
@@ -188,7 +188,7 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_queue = {
.name = "queue",
.alloc_len = sizeof(struct nftnl_expr_queue),
- .max_attr = NFTA_QUEUE_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1,
.set = nftnl_expr_queue_set,
.get = nftnl_expr_queue_get,
.parse = nftnl_expr_queue_parse,
diff --git a/src/expr/quota.c b/src/expr/quota.c
index 835729c..d3923f3 100644
--- a/src/expr/quota.c
+++ b/src/expr/quota.c
@@ -142,7 +142,7 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_quota = {
.name = "quota",
.alloc_len = sizeof(struct nftnl_expr_quota),
- .max_attr = NFTA_QUOTA_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1,
.set = nftnl_expr_quota_set,
.get = nftnl_expr_quota_get,
.parse = nftnl_expr_quota_parse,
diff --git a/src/expr/range.c b/src/expr/range.c
index 5a30e48..cb3708c 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -204,7 +204,7 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_range = {
.name = "range",
.alloc_len = sizeof(struct nftnl_expr_range),
- .max_attr = NFTA_RANGE_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1,
.set = nftnl_expr_range_set,
.get = nftnl_expr_range_get,
.parse = nftnl_expr_range_parse,
diff --git a/src/expr/redir.c b/src/expr/redir.c
index 87c2acc..eca8bfe 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
@@ -162,7 +162,7 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_redir = {
.name = "redir",
.alloc_len = sizeof(struct nftnl_expr_redir),
- .max_attr = NFTA_REDIR_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1,
.set = nftnl_expr_redir_set,
.get = nftnl_expr_redir_get,
.parse = nftnl_expr_redir_parse,
diff --git a/src/expr/reject.c b/src/expr/reject.c
index c7c9441..6b923ad 100644
--- a/src/expr/reject.c
+++ b/src/expr/reject.c
@@ -129,7 +129,7 @@ nftnl_expr_reject_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_reject = {
.name = "reject",
.alloc_len = sizeof(struct nftnl_expr_reject),
- .max_attr = NFTA_REJECT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1,
.set = nftnl_expr_reject_set,
.get = nftnl_expr_reject_get,
.parse = nftnl_expr_reject_parse,
diff --git a/src/expr/rt.c b/src/expr/rt.c
index 695a658..aaec430 100644
--- a/src/expr/rt.c
+++ b/src/expr/rt.c
@@ -157,7 +157,7 @@ nftnl_expr_rt_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_rt = {
.name = "rt",
.alloc_len = sizeof(struct nftnl_expr_rt),
- .max_attr = NFTA_RT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1,
.set = nftnl_expr_rt_set,
.get = nftnl_expr_rt_get,
.parse = nftnl_expr_rt_parse,
diff --git a/src/expr/socket.c b/src/expr/socket.c
index 83045c0..ef299c4 100644
--- a/src/expr/socket.c
+++ b/src/expr/socket.c
@@ -160,7 +160,7 @@ nftnl_expr_socket_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_socket = {
.name = "socket",
.alloc_len = sizeof(struct nftnl_expr_socket),
- .max_attr = NFTA_SOCKET_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1,
.set = nftnl_expr_socket_set,
.get = nftnl_expr_socket_get,
.parse = nftnl_expr_socket_parse,
diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c
index 47fcaef..dc25962 100644
--- a/src/expr/synproxy.c
+++ b/src/expr/synproxy.c
@@ -147,7 +147,7 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_synproxy = {
.name = "synproxy",
.alloc_len = sizeof(struct nftnl_expr_synproxy),
- .max_attr = NFTA_SYNPROXY_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1,
.set = nftnl_expr_synproxy_set,
.get = nftnl_expr_synproxy_get,
.parse = nftnl_expr_synproxy_parse,
diff --git a/src/expr/target.c b/src/expr/target.c
index 2a3fe8a..ebc48ba 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -183,7 +183,7 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_target = {
.name = "target",
.alloc_len = sizeof(struct nftnl_expr_target),
- .max_attr = NFTA_TARGET_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1,
.free = nftnl_expr_target_free,
.set = nftnl_expr_target_set,
.get = nftnl_expr_target_get,
diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c
index bd5ffbf..ac5419b 100644
--- a/src/expr/tproxy.c
+++ b/src/expr/tproxy.c
@@ -165,7 +165,7 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_tproxy = {
.name = "tproxy",
.alloc_len = sizeof(struct nftnl_expr_tproxy),
- .max_attr = NFTA_TPROXY_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1,
.set = nftnl_expr_tproxy_set,
.get = nftnl_expr_tproxy_get,
.parse = nftnl_expr_tproxy_parse,
diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c
index a00f620..e381994 100644
--- a/src/expr/tunnel.c
+++ b/src/expr/tunnel.c
@@ -140,7 +140,7 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_tunnel = {
.name = "tunnel",
.alloc_len = sizeof(struct nftnl_expr_tunnel),
- .max_attr = NFTA_TUNNEL_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1,
.set = nftnl_expr_tunnel_set,
.get = nftnl_expr_tunnel_get,
.parse = nftnl_expr_tunnel_parse,
diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c
index 2db00d5..3f4cb0a 100644
--- a/src/expr/xfrm.c
+++ b/src/expr/xfrm.c
@@ -191,7 +191,7 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_xfrm = {
.name = "xfrm",
.alloc_len = sizeof(struct nftnl_expr_xfrm),
- .max_attr = NFTA_XFRM_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1,
.set = nftnl_expr_xfrm_set,
.get = nftnl_expr_xfrm_get,
.parse = nftnl_expr_xfrm_parse,

503
SOURCES/0008-expr-Call-expr_ops-set-with-legal-types-only.patch Normal file
View File

@ -0,0 +1,503 @@
From 3d5814d5b0a9344327509c9e3aa47ee067fe8a4d Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] expr: Call expr_ops::set with legal types only
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 5029136028bff1747860ed770994b8f494c042fc
commit 5029136028bff1747860ed770994b8f494c042fc
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Dec 13 23:49:53 2023 +0100
expr: Call expr_ops::set with legal types only
Having the new expr_ops::nftnl_max_attr field in place, the valid range
of attribute type values is known now. Reject illegal ones upfront.
Consequently drop the default case from callbacks' switches which handle
all supported attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/expr.c | 3 +++
src/expr/bitwise.c | 2 --
src/expr/byteorder.c | 2 --
src/expr/cmp.c | 2 --
src/expr/connlimit.c | 2 --
src/expr/counter.c | 2 --
src/expr/ct.c | 2 --
src/expr/dup.c | 2 --
src/expr/exthdr.c | 2 --
src/expr/fib.c | 2 --
src/expr/flow_offload.c | 2 --
src/expr/fwd.c | 2 --
src/expr/immediate.c | 2 --
src/expr/inner.c | 2 --
src/expr/last.c | 2 --
src/expr/limit.c | 2 --
src/expr/log.c | 2 --
src/expr/lookup.c | 2 --
src/expr/masq.c | 2 --
src/expr/match.c | 2 --
src/expr/meta.c | 2 --
src/expr/nat.c | 2 --
src/expr/objref.c | 2 --
src/expr/payload.c | 2 --
src/expr/queue.c | 2 --
src/expr/quota.c | 2 --
src/expr/range.c | 2 --
src/expr/redir.c | 2 --
src/expr/reject.c | 2 --
src/expr/rt.c | 2 --
src/expr/socket.c | 2 --
src/expr/target.c | 2 --
src/expr/tproxy.c | 2 --
src/expr/tunnel.c | 2 --
34 files changed, 3 insertions(+), 66 deletions(-)
diff --git a/src/expr.c b/src/expr.c
index b4581f1..74d211b 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -71,6 +71,9 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type,
case NFTNL_EXPR_NAME: /* cannot be modified */
return 0;
default:
+ if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr)
+ return -1;
+
if (expr->ops->set(expr, type, data, data_len) < 0)
return -1;
}
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index 69efe1d..e219d49 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -56,8 +56,6 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type,
return nftnl_data_cpy(&bitwise->xor, data, data_len);
case NFTNL_EXPR_BITWISE_DATA:
return nftnl_data_cpy(&bitwise->data, data, data_len);
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c
index f05ae59..8c7661f 100644
--- a/src/expr/byteorder.c
+++ b/src/expr/byteorder.c
@@ -51,8 +51,6 @@ nftnl_expr_byteorder_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_BYTEORDER_SIZE:
memcpy(&byteorder->size, data, sizeof(byteorder->size));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index 40431fa..fe6f599 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -43,8 +43,6 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type,
break;
case NFTNL_EXPR_CMP_DATA:
return nftnl_data_cpy(&cmp->data, data, data_len);
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c
index 3b6c36c..90613f2 100644
--- a/src/expr/connlimit.c
+++ b/src/expr/connlimit.c
@@ -38,8 +38,6 @@ nftnl_expr_connlimit_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_CONNLIMIT_FLAGS:
memcpy(&connlimit->flags, data, sizeof(connlimit->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/counter.c b/src/expr/counter.c
index 0595d50..a003e24 100644
--- a/src/expr/counter.c
+++ b/src/expr/counter.c
@@ -40,8 +40,6 @@ nftnl_expr_counter_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_CTR_PACKETS:
memcpy(&ctr->pkts, data, sizeof(ctr->pkts));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/ct.c b/src/expr/ct.c
index 36b61fd..197454e 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -50,8 +50,6 @@ nftnl_expr_ct_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_CT_SREG:
memcpy(&ct->sreg, data, sizeof(ct->sreg));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/dup.c b/src/expr/dup.c
index 33731cc..20100ab 100644
--- a/src/expr/dup.c
+++ b/src/expr/dup.c
@@ -37,8 +37,6 @@ static int nftnl_expr_dup_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_DUP_SREG_DEV:
memcpy(&dup->sreg_dev, data, sizeof(dup->sreg_dev));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index a1227a6..77ff7db 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -66,8 +66,6 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_EXTHDR_SREG:
memcpy(&exthdr->sreg, data, sizeof(exthdr->sreg));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/fib.c b/src/expr/fib.c
index 36637bd..5d2303f 100644
--- a/src/expr/fib.c
+++ b/src/expr/fib.c
@@ -43,8 +43,6 @@ nftnl_expr_fib_set(struct nftnl_expr *e, uint16_t result,
case NFTNL_EXPR_FIB_FLAGS:
memcpy(&fib->flags, data, sizeof(fib->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c
index f604712..9ab068d 100644
--- a/src/expr/flow_offload.c
+++ b/src/expr/flow_offload.c
@@ -25,8 +25,6 @@ static int nftnl_expr_flow_set(struct nftnl_expr *e, uint16_t type,
if (!flow->table_name)
return -1;
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/fwd.c b/src/expr/fwd.c
index 3aaf328..bd1b1d8 100644
--- a/src/expr/fwd.c
+++ b/src/expr/fwd.c
@@ -41,8 +41,6 @@ static int nftnl_expr_fwd_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_FWD_NFPROTO:
memcpy(&fwd->nfproto, data, sizeof(fwd->nfproto));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index d60ca32..6ab8417 100644
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -51,8 +51,6 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_IMM_CHAIN_ID:
memcpy(&imm->data.chain_id, data, sizeof(uint32_t));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/inner.c b/src/expr/inner.c
index cb6f607..515f68d 100644
--- a/src/expr/inner.c
+++ b/src/expr/inner.c
@@ -59,8 +59,6 @@ nftnl_expr_inner_set(struct nftnl_expr *e, uint16_t type,
inner->expr = (void *)data;
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/last.c b/src/expr/last.c
index 273aaa1..8aa772c 100644
--- a/src/expr/last.c
+++ b/src/expr/last.c
@@ -37,8 +37,6 @@ static int nftnl_expr_last_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_LAST_SET:
memcpy(&last->set, data, sizeof(last->set));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/limit.c b/src/expr/limit.c
index a1f9eac..355d46a 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -52,8 +52,6 @@ nftnl_expr_limit_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_LIMIT_FLAGS:
memcpy(&limit->flags, data, sizeof(limit->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/log.c b/src/expr/log.c
index 6df030d..868da61 100644
--- a/src/expr/log.c
+++ b/src/expr/log.c
@@ -60,8 +60,6 @@ static int nftnl_expr_log_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_LOG_FLAGS:
memcpy(&log->flags, data, sizeof(log->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index 8b23081..ca58a38 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup.c
@@ -53,8 +53,6 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_LOOKUP_FLAGS:
memcpy(&lookup->flags, data, sizeof(lookup->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/masq.c b/src/expr/masq.c
index a103cc3..fa2f4af 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -42,8 +42,6 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/match.c b/src/expr/match.c
index eed85db..16e7367 100644
--- a/src/expr/match.c
+++ b/src/expr/match.c
@@ -55,8 +55,6 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type,
mt->data = data;
mt->data_len = data_len;
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/meta.c b/src/expr/meta.c
index f86fdff..1db2c19 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -47,8 +47,6 @@ nftnl_expr_meta_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_META_SREG:
memcpy(&meta->sreg, data, sizeof(meta->sreg));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/nat.c b/src/expr/nat.c
index 1d10bc1..724894a 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -62,8 +62,6 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_NAT_FLAGS:
memcpy(&nat->flags, data, sizeof(nat->flags));
break;
- default:
- return -1;
}
return 0;
diff --git a/src/expr/objref.c b/src/expr/objref.c
index e96bd69..28cd2cc 100644
--- a/src/expr/objref.c
+++ b/src/expr/objref.c
@@ -57,8 +57,6 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_OBJREF_SET_ID:
memcpy(&objref->set.id, data, sizeof(objref->set.id));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/payload.c b/src/expr/payload.c
index f603662..73cb188 100644
--- a/src/expr/payload.c
+++ b/src/expr/payload.c
@@ -66,8 +66,6 @@ nftnl_expr_payload_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_PAYLOAD_FLAGS:
memcpy(&payload->csum_flags, data, sizeof(payload->csum_flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/queue.c b/src/expr/queue.c
index fba65d1..3343dd4 100644
--- a/src/expr/queue.c
+++ b/src/expr/queue.c
@@ -45,8 +45,6 @@ static int nftnl_expr_queue_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_QUEUE_SREG_QNUM:
memcpy(&queue->sreg_qnum, data, sizeof(queue->sreg_qnum));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/quota.c b/src/expr/quota.c
index d3923f3..2a3a05a 100644
--- a/src/expr/quota.c
+++ b/src/expr/quota.c
@@ -41,8 +41,6 @@ static int nftnl_expr_quota_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_QUOTA_FLAGS:
memcpy(&quota->flags, data, sizeof(quota->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/range.c b/src/expr/range.c
index cb3708c..d0c52b9 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -43,8 +43,6 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type,
return nftnl_data_cpy(&range->data_from, data, data_len);
case NFTNL_EXPR_RANGE_TO_DATA:
return nftnl_data_cpy(&range->data_to, data, data_len);
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/redir.c b/src/expr/redir.c
index eca8bfe..a5a5e7d 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
@@ -42,8 +42,6 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_REDIR_FLAGS:
memcpy(&redir->flags, data, sizeof(redir->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/reject.c b/src/expr/reject.c
index 6b923ad..8a0653d 100644
--- a/src/expr/reject.c
+++ b/src/expr/reject.c
@@ -38,8 +38,6 @@ static int nftnl_expr_reject_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_REJECT_CODE:
memcpy(&reject->icmp_code, data, sizeof(reject->icmp_code));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/rt.c b/src/expr/rt.c
index aaec430..de2bd2f 100644
--- a/src/expr/rt.c
+++ b/src/expr/rt.c
@@ -37,8 +37,6 @@ nftnl_expr_rt_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_RT_DREG:
memcpy(&rt->dreg, data, sizeof(rt->dreg));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/socket.c b/src/expr/socket.c
index ef299c4..9b6c3ea 100644
--- a/src/expr/socket.c
+++ b/src/expr/socket.c
@@ -41,8 +41,6 @@ nftnl_expr_socket_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_SOCKET_LEVEL:
memcpy(&socket->level, data, sizeof(socket->level));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/target.c b/src/expr/target.c
index ebc48ba..cc0566c 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -55,8 +55,6 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type,
tg->data = data;
tg->data_len = data_len;
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c
index ac5419b..c6ed888 100644
--- a/src/expr/tproxy.c
+++ b/src/expr/tproxy.c
@@ -42,8 +42,6 @@ nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_TPROXY_REG_PORT:
memcpy(&tproxy->sreg_port, data, sizeof(tproxy->sreg_port));
break;
- default:
- return -1;
}
return 0;
diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c
index e381994..e59744b 100644
--- a/src/expr/tunnel.c
+++ b/src/expr/tunnel.c
@@ -36,8 +36,6 @@ static int nftnl_expr_tunnel_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_TUNNEL_DREG:
memcpy(&tunnel->dreg, data, sizeof(tunnel->dreg));
break;
- default:
- return -1;
}
return 0;
}

39
SOURCES/0009-include-Sync-nf_log.h-with-kernel-headers.patch Normal file
View File

@ -0,0 +1,39 @@
From 705845a613139dd1d02a587478d8b7e93f16eecf Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] include: Sync nf_log.h with kernel headers
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 9da7658c6e25b02f7eeef936835469f4174cbfec
commit 9da7658c6e25b02f7eeef936835469f4174cbfec
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Dec 15 16:15:35 2023 +0100
include: Sync nf_log.h with kernel headers
Next patch needs NF_LOG_PREFIXLEN define.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/linux/netfilter/nf_log.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h
index 8be21e0..2ae0093 100644
--- a/include/linux/netfilter/nf_log.h
+++ b/include/linux/netfilter/nf_log.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _NETFILTER_NF_LOG_H
#define _NETFILTER_NF_LOG_H
@@ -9,4 +10,6 @@
#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */
#define NF_LOG_MASK 0x2f
+#define NF_LOG_PREFIXLEN 128
+
#endif /* _NETFILTER_NF_LOG_H */

989
SOURCES/0010-expr-Introduce-struct-expr_ops-attr_policy.patch Normal file
View File

@ -0,0 +1,989 @@
From 5a8aad9370b54e09411853c4022a072c9b36f189 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] expr: Introduce struct expr_ops::attr_policy
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit cdde5a8c5a8734f2d540a0ab52c32d41d4d18127
commit cdde5a8c5a8734f2d540a0ab52c32d41d4d18127
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Dec 15 16:30:52 2023 +0100
expr: Introduce struct expr_ops::attr_policy
Similar to kernel's nla_policy, enable expressions to inform about
restrictions on attribute use. This allows the generic expression code
to perform sanity checks before dispatching to expression ops.
For now, this holds only the maximum data len which may be passed to
nftnl_expr_set().
While one may debate whether accepting e.g. uint32_t for sreg/dreg
attributes is correct, it is necessary to not break nftables.
Note that this introduces artificial restrictions on name lengths which
were caught by the kernel (if nftables didn't).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/expr_ops.h | 5 +++++
src/expr/bitwise.c | 11 +++++++++++
src/expr/byteorder.c | 9 +++++++++
src/expr/cmp.c | 7 +++++++
src/expr/connlimit.c | 6 ++++++
src/expr/counter.c | 6 ++++++
src/expr/ct.c | 8 ++++++++
src/expr/dup.c | 6 ++++++
src/expr/dynset.c | 13 +++++++++++++
src/expr/exthdr.c | 11 +++++++++++
src/expr/fib.c | 7 +++++++
src/expr/flow_offload.c | 5 +++++
src/expr/fwd.c | 7 +++++++
src/expr/hash.c | 11 +++++++++++
src/expr/immediate.c | 9 +++++++++
src/expr/inner.c | 8 ++++++++
src/expr/last.c | 6 ++++++
src/expr/limit.c | 9 +++++++++
src/expr/log.c | 10 ++++++++++
src/expr/lookup.c | 9 +++++++++
src/expr/masq.c | 7 +++++++
src/expr/match.c | 7 +++++++
src/expr/meta.c | 7 +++++++
src/expr/nat.c | 11 +++++++++++
src/expr/numgen.c | 8 ++++++++
src/expr/objref.c | 9 +++++++++
src/expr/osf.c | 7 +++++++
src/expr/payload.c | 12 ++++++++++++
src/expr/queue.c | 8 ++++++++
src/expr/quota.c | 7 +++++++
src/expr/range.c | 8 ++++++++
src/expr/redir.c | 7 +++++++
src/expr/reject.c | 6 ++++++
src/expr/rt.c | 6 ++++++
src/expr/socket.c | 7 +++++++
src/expr/synproxy.c | 7 +++++++
src/expr/target.c | 7 +++++++
src/expr/tproxy.c | 7 +++++++
src/expr/tunnel.c | 6 ++++++
src/expr/xfrm.c | 9 +++++++++
40 files changed, 316 insertions(+)
diff --git a/include/expr_ops.h b/include/expr_ops.h
index 51b2214..6cfb3b5 100644
--- a/include/expr_ops.h
+++ b/include/expr_ops.h
@@ -8,10 +8,15 @@ struct nlattr;
struct nlmsghdr;
struct nftnl_expr;
+struct attr_policy {
+ uint32_t maxlen;
+};
+
struct expr_ops {
const char *name;
uint32_t alloc_len;
int nftnl_max_attr;
+ struct attr_policy *attr_policy;
void (*init)(const struct nftnl_expr *e);
void (*free)(const struct nftnl_expr *e);
int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len);
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index e219d49..dab1690 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -266,10 +266,21 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size,
return err;
}
+static struct attr_policy bitwise_attr_policy[__NFTNL_EXPR_BITWISE_MAX] = {
+ [NFTNL_EXPR_BITWISE_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BITWISE_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BITWISE_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BITWISE_MASK] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+ [NFTNL_EXPR_BITWISE_XOR] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+ [NFTNL_EXPR_BITWISE_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BITWISE_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+};
+
struct expr_ops expr_ops_bitwise = {
.name = "bitwise",
.alloc_len = sizeof(struct nftnl_expr_bitwise),
.nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1,
+ .attr_policy = bitwise_attr_policy,
.set = nftnl_expr_bitwise_set,
.get = nftnl_expr_bitwise_get,
.parse = nftnl_expr_bitwise_parse,
diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c
index 8c7661f..d4e85a8 100644
--- a/src/expr/byteorder.c
+++ b/src/expr/byteorder.c
@@ -210,10 +210,19 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy byteorder_attr_policy[__NFTNL_EXPR_BYTEORDER_MAX] = {
+ [NFTNL_EXPR_BYTEORDER_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BYTEORDER_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BYTEORDER_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BYTEORDER_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BYTEORDER_SIZE] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_byteorder = {
.name = "byteorder",
.alloc_len = sizeof(struct nftnl_expr_byteorder),
.nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1,
+ .attr_policy = byteorder_attr_policy,
.set = nftnl_expr_byteorder_set,
.get = nftnl_expr_byteorder_get,
.parse = nftnl_expr_byteorder_parse,
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index fe6f599..2937d7e 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -190,10 +190,17 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy cmp_attr_policy[__NFTNL_EXPR_CMP_MAX] = {
+ [NFTNL_EXPR_CMP_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CMP_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CMP_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }
+};
+
struct expr_ops expr_ops_cmp = {
.name = "cmp",
.alloc_len = sizeof(struct nftnl_expr_cmp),
.nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1,
+ .attr_policy = cmp_attr_policy,
.set = nftnl_expr_cmp_set,
.get = nftnl_expr_cmp_get,
.parse = nftnl_expr_cmp_parse,
diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c
index 90613f2..1c78c71 100644
--- a/src/expr/connlimit.c
+++ b/src/expr/connlimit.c
@@ -125,10 +125,16 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len,
connlimit->count, connlimit->flags);
}
+static struct attr_policy connlimit_attr_policy[__NFTNL_EXPR_CONNLIMIT_MAX] = {
+ [NFTNL_EXPR_CONNLIMIT_COUNT] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CONNLIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_connlimit = {
.name = "connlimit",
.alloc_len = sizeof(struct nftnl_expr_connlimit),
.nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1,
+ .attr_policy = connlimit_attr_policy,
.set = nftnl_expr_connlimit_set,
.get = nftnl_expr_connlimit_get,
.parse = nftnl_expr_connlimit_parse,
diff --git a/src/expr/counter.c b/src/expr/counter.c
index a003e24..2c6f2a7 100644
--- a/src/expr/counter.c
+++ b/src/expr/counter.c
@@ -123,10 +123,16 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len,
ctr->pkts, ctr->bytes);
}
+static struct attr_policy counter_attr_policy[__NFTNL_EXPR_CTR_MAX] = {
+ [NFTNL_EXPR_CTR_PACKETS] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_CTR_BYTES] = { .maxlen = sizeof(uint64_t) },
+};
+
struct expr_ops expr_ops_counter = {
.name = "counter",
.alloc_len = sizeof(struct nftnl_expr_counter),
.nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1,
+ .attr_policy = counter_attr_policy,
.set = nftnl_expr_counter_set,
.get = nftnl_expr_counter_get,
.parse = nftnl_expr_counter_parse,
diff --git a/src/expr/ct.c b/src/expr/ct.c
index 197454e..f7dd40d 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -248,10 +248,18 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy ct_attr_policy[__NFTNL_EXPR_CT_MAX] = {
+ [NFTNL_EXPR_CT_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CT_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CT_DIR] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_CT_SREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_ct = {
.name = "ct",
.alloc_len = sizeof(struct nftnl_expr_ct),
.nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1,
+ .attr_policy = ct_attr_policy,
.set = nftnl_expr_ct_set,
.get = nftnl_expr_ct_get,
.parse = nftnl_expr_ct_parse,
diff --git a/src/expr/dup.c b/src/expr/dup.c
index 20100ab..6a5e4ca 100644
--- a/src/expr/dup.c
+++ b/src/expr/dup.c
@@ -128,10 +128,16 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy dup_attr_policy[__NFTNL_EXPR_DUP_MAX] = {
+ [NFTNL_EXPR_DUP_SREG_ADDR] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DUP_SREG_DEV] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_dup = {
.name = "dup",
.alloc_len = sizeof(struct nftnl_expr_dup),
.nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1,
+ .attr_policy = dup_attr_policy,
.set = nftnl_expr_dup_set,
.get = nftnl_expr_dup_get,
.parse = nftnl_expr_dup_parse,
diff --git a/src/expr/dynset.c b/src/expr/dynset.c
index ee6ce1e..c1f79b5 100644
--- a/src/expr/dynset.c
+++ b/src/expr/dynset.c
@@ -363,10 +363,23 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e)
nftnl_expr_free(expr);
}
+static struct attr_policy dynset_attr_policy[__NFTNL_EXPR_DYNSET_MAX] = {
+ [NFTNL_EXPR_DYNSET_SREG_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DYNSET_SREG_DATA] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DYNSET_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DYNSET_TIMEOUT] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_DYNSET_SET_NAME] = { .maxlen = NFT_SET_MAXNAMELEN },
+ [NFTNL_EXPR_DYNSET_SET_ID] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DYNSET_EXPR] = { .maxlen = 0 },
+ [NFTNL_EXPR_DYNSET_EXPRESSIONS] = { .maxlen = 0 },
+ [NFTNL_EXPR_DYNSET_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_dynset = {
.name = "dynset",
.alloc_len = sizeof(struct nftnl_expr_dynset),
.nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1,
+ .attr_policy = dynset_attr_policy,
.init = nftnl_expr_dynset_init,
.free = nftnl_expr_dynset_free,
.set = nftnl_expr_dynset_set,
diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index 77ff7db..93b7521 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -257,10 +257,21 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len,
}
+static struct attr_policy exthdr_attr_policy[__NFTNL_EXPR_EXTHDR_MAX] = {
+ [NFTNL_EXPR_EXTHDR_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_TYPE] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_EXTHDR_OFFSET] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_SREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_exthdr = {
.name = "exthdr",
.alloc_len = sizeof(struct nftnl_expr_exthdr),
.nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1,
+ .attr_policy = exthdr_attr_policy,
.set = nftnl_expr_exthdr_set,
.get = nftnl_expr_exthdr_get,
.parse = nftnl_expr_exthdr_parse,
diff --git a/src/expr/fib.c b/src/expr/fib.c
index 5d2303f..5f7bef4 100644
--- a/src/expr/fib.c
+++ b/src/expr/fib.c
@@ -188,10 +188,17 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy fib_attr_policy[__NFTNL_EXPR_FIB_MAX] = {
+ [NFTNL_EXPR_FIB_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_FIB_RESULT] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_FIB_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_fib = {
.name = "fib",
.alloc_len = sizeof(struct nftnl_expr_fib),
.nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1,
+ .attr_policy = fib_attr_policy,
.set = nftnl_expr_fib_set,
.get = nftnl_expr_fib_get,
.parse = nftnl_expr_fib_parse,
diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c
index 9ab068d..5f209a6 100644
--- a/src/expr/flow_offload.c
+++ b/src/expr/flow_offload.c
@@ -109,10 +109,15 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e)
xfree(flow->table_name);
}
+static struct attr_policy flow_offload_attr_policy[__NFTNL_EXPR_FLOW_MAX] = {
+ [NFTNL_EXPR_FLOW_TABLE_NAME] = { .maxlen = NFT_NAME_MAXLEN },
+};
+
struct expr_ops expr_ops_flow = {
.name = "flow_offload",
.alloc_len = sizeof(struct nftnl_expr_flow),
.nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1,
+ .attr_policy = flow_offload_attr_policy,
.free = nftnl_expr_flow_free,
.set = nftnl_expr_flow_set,
.get = nftnl_expr_flow_get,
diff --git a/src/expr/fwd.c b/src/expr/fwd.c
index bd1b1d8..566d6f4 100644
--- a/src/expr/fwd.c
+++ b/src/expr/fwd.c
@@ -148,10 +148,17 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy fwd_attr_policy[__NFTNL_EXPR_FWD_MAX] = {
+ [NFTNL_EXPR_FWD_SREG_DEV] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_FWD_SREG_ADDR] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_FWD_NFPROTO] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_fwd = {
.name = "fwd",
.alloc_len = sizeof(struct nftnl_expr_fwd),
.nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1,
+ .attr_policy = fwd_attr_policy,
.set = nftnl_expr_fwd_set,
.get = nftnl_expr_fwd_get,
.parse = nftnl_expr_fwd_parse,
diff --git a/src/expr/hash.c b/src/expr/hash.c
index 1fc72ec..4cd9006 100644
--- a/src/expr/hash.c
+++ b/src/expr/hash.c
@@ -218,10 +218,21 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy hash_attr_policy[__NFTNL_EXPR_HASH_MAX] = {
+ [NFTNL_EXPR_HASH_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_MODULUS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_SEED] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_OFFSET] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_TYPE] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_hash = {
.name = "hash",
.alloc_len = sizeof(struct nftnl_expr_hash),
.nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1,
+ .attr_policy = hash_attr_policy,
.set = nftnl_expr_hash_set,
.get = nftnl_expr_hash_get,
.parse = nftnl_expr_hash_parse,
diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index 6ab8417..8645ab3 100644
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -216,10 +216,19 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e)
nftnl_free_verdict(&imm->data);
}
+static struct attr_policy immediate_attr_policy[__NFTNL_EXPR_IMM_MAX] = {
+ [NFTNL_EXPR_IMM_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_IMM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+ [NFTNL_EXPR_IMM_VERDICT] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_IMM_CHAIN] = { .maxlen = NFT_CHAIN_MAXNAMELEN },
+ [NFTNL_EXPR_IMM_CHAIN_ID] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_immediate = {
.name = "immediate",
.alloc_len = sizeof(struct nftnl_expr_immediate),
.nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1,
+ .attr_policy = immediate_attr_policy,
.free = nftnl_expr_immediate_free,
.set = nftnl_expr_immediate_set,
.get = nftnl_expr_immediate_get,
diff --git a/src/expr/inner.c b/src/expr/inner.c
index 515f68d..45ef4fb 100644
--- a/src/expr/inner.c
+++ b/src/expr/inner.c
@@ -199,10 +199,18 @@ nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags,
return offset;
}
+static struct attr_policy inner_attr_policy[__NFTNL_EXPR_INNER_MAX] = {
+ [NFTNL_EXPR_INNER_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_INNER_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_INNER_HDRSIZE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_INNER_EXPR] = { .maxlen = 0 },
+};
+
struct expr_ops expr_ops_inner = {
.name = "inner",
.alloc_len = sizeof(struct nftnl_expr_inner),
.nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1,
+ .attr_policy = inner_attr_policy,
.free = nftnl_expr_inner_free,
.set = nftnl_expr_inner_set,
.get = nftnl_expr_inner_get,
diff --git a/src/expr/last.c b/src/expr/last.c
index 8aa772c..074f463 100644
--- a/src/expr/last.c
+++ b/src/expr/last.c
@@ -124,10 +124,16 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len,
return snprintf(buf, len, "%"PRIu64" ", last->msecs);
}
+static struct attr_policy last_attr_policy[__NFTNL_EXPR_LAST_MAX] = {
+ [NFTNL_EXPR_LAST_MSECS] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_LAST_SET] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_last = {
.name = "last",
.alloc_len = sizeof(struct nftnl_expr_last),
.nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1,
+ .attr_policy = last_attr_policy,
.set = nftnl_expr_last_set,
.get = nftnl_expr_last_get,
.parse = nftnl_expr_last_parse,
diff --git a/src/expr/limit.c b/src/expr/limit.c
index 355d46a..935d449 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -192,10 +192,19 @@ nftnl_expr_limit_snprintf(char *buf, size_t len,
limit_to_type(limit->type), limit->flags);
}
+static struct attr_policy limit_attr_policy[__NFTNL_EXPR_LIMIT_MAX] = {
+ [NFTNL_EXPR_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_limit = {
.name = "limit",
.alloc_len = sizeof(struct nftnl_expr_limit),
.nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1,
+ .attr_policy = limit_attr_policy,
.set = nftnl_expr_limit_set,
.get = nftnl_expr_limit_get,
.parse = nftnl_expr_limit_parse,
diff --git a/src/expr/log.c b/src/expr/log.c
index 868da61..d6d6910 100644
--- a/src/expr/log.c
+++ b/src/expr/log.c
@@ -242,10 +242,20 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e)
xfree(log->prefix);
}
+static struct attr_policy log_attr_policy[__NFTNL_EXPR_LOG_MAX] = {
+ [NFTNL_EXPR_LOG_PREFIX] = { .maxlen = NF_LOG_PREFIXLEN },
+ [NFTNL_EXPR_LOG_GROUP] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_LOG_SNAPLEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOG_QTHRESHOLD] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_LOG_LEVEL] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOG_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_log = {
.name = "log",
.alloc_len = sizeof(struct nftnl_expr_log),
.nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1,
+ .attr_policy = log_attr_policy,
.free = nftnl_expr_log_free,
.set = nftnl_expr_log_set,
.get = nftnl_expr_log_get,
diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index ca58a38..be04528 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup.c
@@ -195,10 +195,19 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e)
xfree(lookup->set_name);
}
+static struct attr_policy lookup_attr_policy[__NFTNL_EXPR_LOOKUP_MAX] = {
+ [NFTNL_EXPR_LOOKUP_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOOKUP_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOOKUP_SET] = { .maxlen = NFT_SET_MAXNAMELEN },
+ [NFTNL_EXPR_LOOKUP_SET_ID] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOOKUP_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_lookup = {
.name = "lookup",
.alloc_len = sizeof(struct nftnl_expr_lookup),
.nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1,
+ .attr_policy = lookup_attr_policy,
.free = nftnl_expr_lookup_free,
.set = nftnl_expr_lookup_set,
.get = nftnl_expr_lookup_get,
diff --git a/src/expr/masq.c b/src/expr/masq.c
index fa2f4af..4be5a9c 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -153,10 +153,17 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy masq_attr_policy[__NFTNL_EXPR_MASQ_MAX] = {
+ [NFTNL_EXPR_MASQ_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_MASQ_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_MASQ_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_masq = {
.name = "masq",
.alloc_len = sizeof(struct nftnl_expr_masq),
.nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1,
+ .attr_policy = masq_attr_policy,
.set = nftnl_expr_masq_set,
.get = nftnl_expr_masq_get,
.parse = nftnl_expr_masq_parse,
diff --git a/src/expr/match.c b/src/expr/match.c
index 16e7367..68288dc 100644
--- a/src/expr/match.c
+++ b/src/expr/match.c
@@ -178,10 +178,17 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e)
xfree(match->data);
}
+static struct attr_policy match_attr_policy[__NFTNL_EXPR_MT_MAX] = {
+ [NFTNL_EXPR_MT_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN },
+ [NFTNL_EXPR_MT_REV] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_MT_INFO] = { .maxlen = 0 },
+};
+
struct expr_ops expr_ops_match = {
.name = "match",
.alloc_len = sizeof(struct nftnl_expr_match),
.nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1,
+ .attr_policy = match_attr_policy,
.free = nftnl_expr_match_free,
.set = nftnl_expr_match_set,
.get = nftnl_expr_match_get,
diff --git a/src/expr/meta.c b/src/expr/meta.c
index 1db2c19..cd49c34 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -207,10 +207,17 @@ nftnl_expr_meta_snprintf(char *buf, size_t len,
return 0;
}
+static struct attr_policy meta_attr_policy[__NFTNL_EXPR_META_MAX] = {
+ [NFTNL_EXPR_META_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_META_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_META_SREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_meta = {
.name = "meta",
.alloc_len = sizeof(struct nftnl_expr_meta),
.nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1,
+ .attr_policy = meta_attr_policy,
.set = nftnl_expr_meta_set,
.get = nftnl_expr_meta_get,
.parse = nftnl_expr_meta_parse,
diff --git a/src/expr/nat.c b/src/expr/nat.c
index 724894a..f3f8644 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -264,10 +264,21 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy nat_attr_policy[__NFTNL_EXPR_NAT_MAX] = {
+ [NFTNL_EXPR_NAT_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_FAMILY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_REG_ADDR_MIN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_REG_ADDR_MAX] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_nat = {
.name = "nat",
.alloc_len = sizeof(struct nftnl_expr_nat),
.nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1,
+ .attr_policy = nat_attr_policy,
.set = nftnl_expr_nat_set,
.get = nftnl_expr_nat_get,
.parse = nftnl_expr_nat_parse,
diff --git a/src/expr/numgen.c b/src/expr/numgen.c
index 3e83e05..c5e8772 100644
--- a/src/expr/numgen.c
+++ b/src/expr/numgen.c
@@ -172,10 +172,18 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy numgen_attr_policy[__NFTNL_EXPR_NG_MAX] = {
+ [NFTNL_EXPR_NG_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NG_MODULUS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NG_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NG_OFFSET] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_ng = {
.name = "numgen",
.alloc_len = sizeof(struct nftnl_expr_ng),
.nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1,
+ .attr_policy = numgen_attr_policy,
.set = nftnl_expr_ng_set,
.get = nftnl_expr_ng_get,
.parse = nftnl_expr_ng_parse,
diff --git a/src/expr/objref.c b/src/expr/objref.c
index 28cd2cc..59e1ddd 100644
--- a/src/expr/objref.c
+++ b/src/expr/objref.c
@@ -194,10 +194,19 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e)
xfree(objref->set.name);
}
+static struct attr_policy objref_attr_policy[__NFTNL_EXPR_OBJREF_MAX] = {
+ [NFTNL_EXPR_OBJREF_IMM_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_OBJREF_IMM_NAME] = { .maxlen = NFT_NAME_MAXLEN },
+ [NFTNL_EXPR_OBJREF_SET_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_OBJREF_SET_NAME] = { .maxlen = NFT_NAME_MAXLEN },
+ [NFTNL_EXPR_OBJREF_SET_ID] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_objref = {
.name = "objref",
.alloc_len = sizeof(struct nftnl_expr_objref),
.nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1,
+ .attr_policy = objref_attr_policy,
.free = nftnl_expr_objref_free,
.set = nftnl_expr_objref_set,
.get = nftnl_expr_objref_get,
diff --git a/src/expr/osf.c b/src/expr/osf.c
index 3838af7..1e4ceb0 100644
--- a/src/expr/osf.c
+++ b/src/expr/osf.c
@@ -139,10 +139,17 @@ nftnl_expr_osf_snprintf(char *buf, size_t len,
return offset;
}
+static struct attr_policy osf_attr_policy[__NFTNL_EXPR_OSF_MAX] = {
+ [NFTNL_EXPR_OSF_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_OSF_TTL] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_OSF_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_osf = {
.name = "osf",
.alloc_len = sizeof(struct nftnl_expr_osf),
.nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1,
+ .attr_policy = osf_attr_policy,
.set = nftnl_expr_osf_set,
.get = nftnl_expr_osf_get,
.parse = nftnl_expr_osf_parse,
diff --git a/src/expr/payload.c b/src/expr/payload.c
index 73cb188..76d38f7 100644
--- a/src/expr/payload.c
+++ b/src/expr/payload.c
@@ -236,10 +236,22 @@ nftnl_expr_payload_snprintf(char *buf, size_t len,
payload->offset, payload->dreg);
}
+static struct attr_policy payload_attr_policy[__NFTNL_EXPR_PAYLOAD_MAX] = {
+ [NFTNL_EXPR_PAYLOAD_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_BASE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_OFFSET] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_CSUM_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_CSUM_OFFSET] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_payload = {
.name = "payload",
.alloc_len = sizeof(struct nftnl_expr_payload),
.nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1,
+ .attr_policy = payload_attr_policy,
.set = nftnl_expr_payload_set,
.get = nftnl_expr_payload_get,
.parse = nftnl_expr_payload_parse,
diff --git a/src/expr/queue.c b/src/expr/queue.c
index 3343dd4..54792ef 100644
--- a/src/expr/queue.c
+++ b/src/expr/queue.c
@@ -183,10 +183,18 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy queue_attr_policy[__NFTNL_EXPR_QUEUE_MAX] = {
+ [NFTNL_EXPR_QUEUE_NUM] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_QUEUE_TOTAL] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_QUEUE_FLAGS] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_QUEUE_SREG_QNUM] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_queue = {
.name = "queue",
.alloc_len = sizeof(struct nftnl_expr_queue),
.nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1,
+ .attr_policy = queue_attr_policy,
.set = nftnl_expr_queue_set,
.get = nftnl_expr_queue_get,
.parse = nftnl_expr_queue_parse,
diff --git a/src/expr/quota.c b/src/expr/quota.c
index 2a3a05a..60631fe 100644
--- a/src/expr/quota.c
+++ b/src/expr/quota.c
@@ -137,10 +137,17 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len,
quota->bytes, quota->consumed, quota->flags);
}
+static struct attr_policy quota_attr_policy[__NFTNL_EXPR_QUOTA_MAX] = {
+ [NFTNL_EXPR_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) },
+};
+
struct expr_ops expr_ops_quota = {
.name = "quota",
.alloc_len = sizeof(struct nftnl_expr_quota),
.nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1,
+ .attr_policy = quota_attr_policy,
.set = nftnl_expr_quota_set,
.get = nftnl_expr_quota_get,
.parse = nftnl_expr_quota_parse,
diff --git a/src/expr/range.c b/src/expr/range.c
index d0c52b9..6310b79 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -199,10 +199,18 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy range_attr_policy[__NFTNL_EXPR_RANGE_MAX] = {
+ [NFTNL_EXPR_RANGE_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_RANGE_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_RANGE_FROM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+ [NFTNL_EXPR_RANGE_TO_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+};
+
struct expr_ops expr_ops_range = {
.name = "range",
.alloc_len = sizeof(struct nftnl_expr_range),
.nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1,
+ .attr_policy = range_attr_policy,
.set = nftnl_expr_range_set,
.get = nftnl_expr_range_get,
.parse = nftnl_expr_range_parse,
diff --git a/src/expr/redir.c b/src/expr/redir.c
index a5a5e7d..69095bd 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
@@ -157,10 +157,17 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy redir_attr_policy[__NFTNL_EXPR_REDIR_MAX] = {
+ [NFTNL_EXPR_REDIR_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_REDIR_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_REDIR_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_redir = {
.name = "redir",
.alloc_len = sizeof(struct nftnl_expr_redir),
.nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1,
+ .attr_policy = redir_attr_policy,
.set = nftnl_expr_redir_set,
.get = nftnl_expr_redir_get,
.parse = nftnl_expr_redir_parse,
diff --git a/src/expr/reject.c b/src/expr/reject.c
index 8a0653d..f97011a 100644
--- a/src/expr/reject.c
+++ b/src/expr/reject.c
@@ -124,10 +124,16 @@ nftnl_expr_reject_snprintf(char *buf, size_t len,
reject->type, reject->icmp_code);
}
+static struct attr_policy reject_attr_policy[__NFTNL_EXPR_REJECT_MAX] = {
+ [NFTNL_EXPR_REJECT_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_REJECT_CODE] = { .maxlen = sizeof(uint8_t) },
+};
+
struct expr_ops expr_ops_reject = {
.name = "reject",
.alloc_len = sizeof(struct nftnl_expr_reject),
.nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1,
+ .attr_policy = reject_attr_policy,
.set = nftnl_expr_reject_set,
.get = nftnl_expr_reject_get,
.parse = nftnl_expr_reject_parse,
diff --git a/src/expr/rt.c b/src/expr/rt.c
index de2bd2f..0ab2556 100644
--- a/src/expr/rt.c
+++ b/src/expr/rt.c
@@ -152,10 +152,16 @@ nftnl_expr_rt_snprintf(char *buf, size_t len,
return 0;
}
+static struct attr_policy rt_attr_policy[__NFTNL_EXPR_RT_MAX] = {
+ [NFTNL_EXPR_RT_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_RT_DREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_rt = {
.name = "rt",
.alloc_len = sizeof(struct nftnl_expr_rt),
.nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1,
+ .attr_policy = rt_attr_policy,
.set = nftnl_expr_rt_set,
.get = nftnl_expr_rt_get,
.parse = nftnl_expr_rt_parse,
diff --git a/src/expr/socket.c b/src/expr/socket.c
index 9b6c3ea..d0d8e23 100644
--- a/src/expr/socket.c
+++ b/src/expr/socket.c
@@ -155,10 +155,17 @@ nftnl_expr_socket_snprintf(char *buf, size_t len,
return 0;
}
+static struct attr_policy socket_attr_policy[__NFTNL_EXPR_SOCKET_MAX] = {
+ [NFTNL_EXPR_SOCKET_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_SOCKET_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_SOCKET_LEVEL] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_socket = {
.name = "socket",
.alloc_len = sizeof(struct nftnl_expr_socket),
.nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1,
+ .attr_policy = socket_attr_policy,
.set = nftnl_expr_socket_set,
.get = nftnl_expr_socket_get,
.parse = nftnl_expr_socket_parse,
diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c
index dc25962..898d292 100644
--- a/src/expr/synproxy.c
+++ b/src/expr/synproxy.c
@@ -144,10 +144,17 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len,
return offset;
}
+static struct attr_policy synproxy_attr_policy[__NFTNL_EXPR_SYNPROXY_MAX] = {
+ [NFTNL_EXPR_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_synproxy = {
.name = "synproxy",
.alloc_len = sizeof(struct nftnl_expr_synproxy),
.nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1,
+ .attr_policy = synproxy_attr_policy,
.set = nftnl_expr_synproxy_set,
.get = nftnl_expr_synproxy_get,
.parse = nftnl_expr_synproxy_parse,
diff --git a/src/expr/target.c b/src/expr/target.c
index cc0566c..9bfd25b 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -178,10 +178,17 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e)
xfree(target->data);
}
+static struct attr_policy target_attr_policy[__NFTNL_EXPR_TG_MAX] = {
+ [NFTNL_EXPR_TG_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN },
+ [NFTNL_EXPR_TG_REV] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_TG_INFO] = { .maxlen = 0 },
+};
+
struct expr_ops expr_ops_target = {
.name = "target",
.alloc_len = sizeof(struct nftnl_expr_target),
.nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1,
+ .attr_policy = target_attr_policy,
.free = nftnl_expr_target_free,
.set = nftnl_expr_target_set,
.get = nftnl_expr_target_get,
diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c
index c6ed888..4948392 100644
--- a/src/expr/tproxy.c
+++ b/src/expr/tproxy.c
@@ -160,10 +160,17 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy tproxy_attr_policy[__NFTNL_EXPR_TPROXY_MAX] = {
+ [NFTNL_EXPR_TPROXY_FAMILY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_TPROXY_REG_ADDR] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_TPROXY_REG_PORT] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_tproxy = {
.name = "tproxy",
.alloc_len = sizeof(struct nftnl_expr_tproxy),
.nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1,
+ .attr_policy = tproxy_attr_policy,
.set = nftnl_expr_tproxy_set,
.get = nftnl_expr_tproxy_get,
.parse = nftnl_expr_tproxy_parse,
diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c
index e59744b..8089d0b 100644
--- a/src/expr/tunnel.c
+++ b/src/expr/tunnel.c
@@ -135,10 +135,16 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len,
return 0;
}
+static struct attr_policy tunnel_attr_policy[__NFTNL_EXPR_TUNNEL_MAX] = {
+ [NFTNL_EXPR_TUNNEL_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_TUNNEL_DREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_tunnel = {
.name = "tunnel",
.alloc_len = sizeof(struct nftnl_expr_tunnel),
.nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1,
+ .attr_policy = tunnel_attr_policy,
.set = nftnl_expr_tunnel_set,
.get = nftnl_expr_tunnel_get,
.parse = nftnl_expr_tunnel_parse,
diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c
index 3f4cb0a..dc867a2 100644
--- a/src/expr/xfrm.c
+++ b/src/expr/xfrm.c
@@ -188,10 +188,19 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy xfrm_attr_policy[__NFTNL_EXPR_XFRM_MAX] = {
+ [NFTNL_EXPR_XFRM_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_XFRM_SREG] = { .maxlen = 0 },
+ [NFTNL_EXPR_XFRM_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_XFRM_DIR] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_XFRM_SPNUM] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_xfrm = {
.name = "xfrm",
.alloc_len = sizeof(struct nftnl_expr_xfrm),
.nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1,
+ .attr_policy = xfrm_attr_policy,
.set = nftnl_expr_xfrm_set,
.get = nftnl_expr_xfrm_get,
.parse = nftnl_expr_xfrm_parse,

48
SOURCES/0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch Normal file
View File

@ -0,0 +1,48 @@
From 244e36b93c9271e3dc9d4bbce5fa395f1db7e376 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] expr: Enforce attr_policy compliance in nftnl_expr_set()
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 62db596bf1f3dabffac3e0b9b0c3db487bfff828
commit 62db596bf1f3dabffac3e0b9b0c3db487bfff828
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Dec 15 16:32:30 2023 +0100
expr: Enforce attr_policy compliance in nftnl_expr_set()
Every expression type defines an attr_policy array, so deny setting
attributes if not present. Also deny if maxlen field is non-zero and
lower than the given data_len.
Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO )
or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero
maxlen "nop" is also used for deprecated attributes, just to not
silently ignore them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/expr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/expr.c b/src/expr.c
index 74d211b..4e32189 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -74,6 +74,13 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type,
if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr)
return -1;
+ if (!expr->ops->attr_policy)
+ return -1;
+
+ if (expr->ops->attr_policy[type].maxlen &&
+ expr->ops->attr_policy[type].maxlen < data_len)
+ return -1;
+
if (expr->ops->set(expr, type, data, data_len) < 0)
return -1;
}

34
SOURCES/0012-chain-Validate-NFTNL_CHAIN_USE-too.patch Normal file
View File

@ -0,0 +1,34 @@
From d1ee302a2805a06e1d016a2f6c6c856df5c925b2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] chain: Validate NFTNL_CHAIN_USE, too
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 104b83489d96642752e774c59e54e816dee85f26
commit 104b83489d96642752e774c59e54e816dee85f26
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 14 17:22:14 2024 +0100
chain: Validate NFTNL_CHAIN_USE, too
Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/chain.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/chain.c b/src/chain.c
index dcfcd04..e0b1eaf 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -196,6 +196,7 @@ static uint32_t nftnl_chain_validate[NFTNL_CHAIN_MAX + 1] = {
[NFTNL_CHAIN_HOOKNUM] = sizeof(uint32_t),
[NFTNL_CHAIN_PRIO] = sizeof(int32_t),
[NFTNL_CHAIN_POLICY] = sizeof(uint32_t),
+ [NFTNL_CHAIN_USE] = sizeof(uint32_t),
[NFTNL_CHAIN_BYTES] = sizeof(uint64_t),
[NFTNL_CHAIN_PACKETS] = sizeof(uint64_t),
[NFTNL_CHAIN_HANDLE] = sizeof(uint64_t),

34
SOURCES/0013-table-Validate-NFTNL_TABLE_USE-too.patch Normal file
View File

@ -0,0 +1,34 @@
From aff3c03195ad34f4bc8d59ab031cd3ad5ba18f1b Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] table: Validate NFTNL_TABLE_USE, too
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 8d3ed0716c619213916140e1ea42945f5202ea5c
commit 8d3ed0716c619213916140e1ea42945f5202ea5c
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 14 17:25:05 2024 +0100
table: Validate NFTNL_TABLE_USE, too
Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/table.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/table.c b/src/table.c
index 59e7053..4a439ff 100644
--- a/src/table.c
+++ b/src/table.c
@@ -88,6 +88,7 @@ static uint32_t nftnl_table_validate[NFTNL_TABLE_MAX + 1] = {
[NFTNL_TABLE_FLAGS] = sizeof(uint32_t),
[NFTNL_TABLE_FAMILY] = sizeof(uint32_t),
[NFTNL_TABLE_HANDLE] = sizeof(uint64_t),
+ [NFTNL_TABLE_USE] = sizeof(uint32_t),
};
EXPORT_SYMBOL(nftnl_table_set_data);

34
SOURCES/0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch Normal file
View File

@ -0,0 +1,34 @@
From e0cfd83bb9e083dcb81cb1b94f8b5de5c5eb5a4d Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] flowtable: Validate NFTNL_FLOWTABLE_SIZE, too
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit b8a502b359221c6fb9c35618550364e2ebf116fb
commit b8a502b359221c6fb9c35618550364e2ebf116fb
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 14 17:26:33 2024 +0100
flowtable: Validate NFTNL_FLOWTABLE_SIZE, too
Fixes: cdaea7f1ced05 ("flowtable: allow to specify size")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/flowtable.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/flowtable.c b/src/flowtable.c
index e6c2475..2f37cd4 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -102,6 +102,7 @@ static uint32_t nftnl_flowtable_validate[NFTNL_FLOWTABLE_MAX + 1] = {
[NFTNL_FLOWTABLE_HOOKNUM] = sizeof(uint32_t),
[NFTNL_FLOWTABLE_PRIO] = sizeof(int32_t),
[NFTNL_FLOWTABLE_FAMILY] = sizeof(uint32_t),
+ [NFTNL_FLOWTABLE_SIZE] = sizeof(uint32_t),
[NFTNL_FLOWTABLE_FLAGS] = sizeof(uint32_t),
[NFTNL_FLOWTABLE_HANDLE] = sizeof(uint64_t),
};

34
SOURCES/0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch Normal file
View File

@ -0,0 +1,34 @@
From 5aca5c8f50c96303530bc7e3fdd16e20a683e1eb Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] obj: Validate NFTNL_OBJ_TYPE, too
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 899920d66b7b2a11c381a95a65b059ff12b9afd6
commit 899920d66b7b2a11c381a95a65b059ff12b9afd6
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 14 17:28:15 2024 +0100
obj: Validate NFTNL_OBJ_TYPE, too
Fixes: 5573d0146c1ae ("src: support for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/object.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/object.c b/src/object.c
index 232b97a..f498138 100644
--- a/src/object.c
+++ b/src/object.c
@@ -70,6 +70,7 @@ bool nftnl_obj_is_set(const struct nftnl_obj *obj, uint16_t attr)
}
static uint32_t nftnl_obj_validate[NFTNL_OBJ_MAX + 1] = {
+ [NFTNL_OBJ_TYPE] = sizeof(uint32_t),
[NFTNL_OBJ_FAMILY] = sizeof(uint32_t),
[NFTNL_OBJ_USE] = sizeof(uint32_t),
[NFTNL_OBJ_HANDLE] = sizeof(uint64_t),

34
SOURCES/0016-set-Validate-NFTNL_SET_ID-too.patch Normal file
View File

@ -0,0 +1,34 @@
From 5825541216d49668aa7d19fdffc4f5519e2f5ff0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] set: Validate NFTNL_SET_ID, too
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit a9b4d07dfab235324d2efbaa242fcc5ed5efe4c1
commit a9b4d07dfab235324d2efbaa242fcc5ed5efe4c1
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 14 17:29:51 2024 +0100
set: Validate NFTNL_SET_ID, too
Fixes: 26298a9ffc2e2 ("set: add set ID support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/set.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/set.c b/src/set.c
index b51ff9e..a732bc0 100644
--- a/src/set.c
+++ b/src/set.c
@@ -128,6 +128,7 @@ static uint32_t nftnl_set_validate[NFTNL_SET_MAX + 1] = {
[NFTNL_SET_DATA_LEN] = sizeof(uint32_t),
[NFTNL_SET_OBJ_TYPE] = sizeof(uint32_t),
[NFTNL_SET_FAMILY] = sizeof(uint32_t),
+ [NFTNL_SET_ID] = sizeof(uint32_t),
[NFTNL_SET_POLICY] = sizeof(uint32_t),
[NFTNL_SET_DESC_SIZE] = sizeof(uint32_t),
[NFTNL_SET_TIMEOUT] = sizeof(uint64_t),

34
SOURCES/0017-table-Validate-NFTNL_TABLE_OWNER-too.patch Normal file
View File

@ -0,0 +1,34 @@
From 63318c4320c8ad0670409cbabc7e97b05f85add4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] table: Validate NFTNL_TABLE_OWNER, too
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 08c9cab3352402c1a7d7952d1a2ce0a051f48b14
commit 08c9cab3352402c1a7d7952d1a2ce0a051f48b14
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 14 17:30:30 2024 +0100
table: Validate NFTNL_TABLE_OWNER, too
Fixes: 985955fe41f53 ("table: add table owner support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/table.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/table.c b/src/table.c
index 4a439ff..4f48e8c 100644
--- a/src/table.c
+++ b/src/table.c
@@ -89,6 +89,7 @@ static uint32_t nftnl_table_validate[NFTNL_TABLE_MAX + 1] = {
[NFTNL_TABLE_FAMILY] = sizeof(uint32_t),
[NFTNL_TABLE_HANDLE] = sizeof(uint64_t),
[NFTNL_TABLE_USE] = sizeof(uint32_t),
+ [NFTNL_TABLE_OWNER] = sizeof(uint32_t),
};
EXPORT_SYMBOL(nftnl_table_set_data);

38
SOURCES/0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch Normal file
View File

@ -0,0 +1,38 @@
From eaa75e076e56224f0d3946a65565a3f72503f091 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] obj: Do not call nftnl_obj_set_data() with zero data_len
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit a113d1ffb6405407d98430807f3534e64a71837e
commit a113d1ffb6405407d98430807f3534e64a71837e
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 14 16:44:34 2024 +0100
obj: Do not call nftnl_obj_set_data() with zero data_len
Pass 'strlen() + 1' as length parameter when setting string attributes,
just like other string setters do.
Fixes: 5573d0146c1ae ("src: support for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/object.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/object.c b/src/object.c
index f498138..e94236e 100644
--- a/src/object.c
+++ b/src/object.c
@@ -157,7 +157,7 @@ void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val)
EXPORT_SYMBOL(nftnl_obj_set_str);
void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str)
{
- nftnl_obj_set_data(obj, attr, str, 0);
+ nftnl_obj_set_data(obj, attr, str, strlen(str) + 1);
}
EXPORT_SYMBOL(nftnl_obj_get_data);

47
SOURCES/0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch Normal file
View File

@ -0,0 +1,47 @@
From 1b3d689b39b1a43038c8872d80154ae1554304ca Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] obj: synproxy: Use memcpy() to handle potentially unaligned
data
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 721fe5702591d94b6dde1a2cc368986fb70626a8
commit 721fe5702591d94b6dde1a2cc368986fb70626a8
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 14:16:05 2024 +0100
obj: synproxy: Use memcpy() to handle potentially unaligned data
Analogous to commit dc240913458d5 ("src: Use memcpy() to handle
potentially unaligned data").
Fixes: 609a13fc2999e ("src: synproxy stateful object support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/obj/synproxy.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c
index baef5c2..4ef97ec 100644
--- a/src/obj/synproxy.c
+++ b/src/obj/synproxy.c
@@ -19,13 +19,13 @@ static int nftnl_obj_synproxy_set(struct nftnl_obj *e, uint16_t type,
switch (type) {
case NFTNL_OBJ_SYNPROXY_MSS:
- synproxy->mss = *((uint16_t *)data);
+ memcpy(&synproxy->mss, data, data_len);
break;
case NFTNL_OBJ_SYNPROXY_WSCALE:
- synproxy->wscale = *((uint8_t *)data);
+ memcpy(&synproxy->wscale, data, data_len);
break;
case NFTNL_OBJ_SYNPROXY_FLAGS:
- synproxy->flags = *((uint32_t *)data);
+ memcpy(&synproxy->flags, data, data_len);
break;
default:
return -1;

49
SOURCES/0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch Normal file
View File

@ -0,0 +1,49 @@
From c0bdff70b2188ee6ab9375333cdaac39abfaeb8c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] utils: Fix for wrong variable use in nftnl_assert_validate()
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 8b9b16b3658ed035523156198798b5f29c808c78
commit 8b9b16b3658ed035523156198798b5f29c808c78
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 13:59:00 2024 +0100
utils: Fix for wrong variable use in nftnl_assert_validate()
This worked by accident as all callers passed a local variable 'attr' as
parameter '_attr'.
Fixes: 7756d31990cd4 ("src: add assertion infrastructure to validate attribute types")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/utils.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/utils.h b/include/utils.h
index 8af5a8e..ca12d25 100644
--- a/include/utils.h
+++ b/include/utils.h
@@ -37,9 +37,9 @@ void __nftnl_assert_fail(uint16_t attr, const char *filename, int line);
#define nftnl_assert_validate(data, _validate_array, _attr, _data_len) \
({ \
if (!data) \
- __nftnl_assert_fail(attr, __FILE__, __LINE__); \
+ __nftnl_assert_fail(_attr, __FILE__, __LINE__); \
if (_validate_array[_attr]) \
- nftnl_assert(data, attr, _validate_array[_attr] == _data_len); \
+ nftnl_assert(data, _attr, _validate_array[_attr] == _data_len); \
})
void __nftnl_assert_attr_exists(uint16_t attr, uint16_t attr_max,
@@ -98,4 +98,7 @@ int nftnl_fprintf(FILE *fpconst, const void *obj, uint32_t cmd, uint32_t type,
uint32_t cmd, uint32_t type,
uint32_t flags));
+int nftnl_set_str_attr(const char **dptr, uint32_t *flags,
+ uint16_t attr, const void *data, uint32_t data_len);
+
#endif

116
SOURCES/0021-object-getters-take-const-struct.patch Normal file
View File

@ -0,0 +1,116 @@
From 85918467438e340b81386b9cc709ba6e88ff860b Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:40 +0200
Subject: [PATCH] object: getters take const struct
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit ff117f50d2f99c03a65b4952b1a6988a8adc700f
commit ff117f50d2f99c03a65b4952b1a6988a8adc700f
Author: corubba <corubba@gmx.de>
Date: Sat Dec 9 23:03:01 2023 +0100
object: getters take const struct
As with all the other entities (like table or set), the getter functions
for objects now take a `const struct nftnl_obj*` as first parameter.
The getters for all specific object types (like counter or limit), which
are called in the default switch-case, already do.
Signed-off-by: corubba <corubba@gmx.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/libnftnl/object.h | 14 +++++++-------
src/object.c | 14 +++++++-------
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index 9bd83a5..4b2d90f 100644
--- a/include/libnftnl/object.h
+++ b/include/libnftnl/object.h
@@ -131,14 +131,14 @@ void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val);
void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val);
void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val);
void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str);
-const void *nftnl_obj_get_data(struct nftnl_obj *ne, uint16_t attr,
+const void *nftnl_obj_get_data(const struct nftnl_obj *ne, uint16_t attr,
uint32_t *data_len);
-const void *nftnl_obj_get(struct nftnl_obj *ne, uint16_t attr);
-uint8_t nftnl_obj_get_u8(struct nftnl_obj *ne, uint16_t attr);
-uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr);
-uint32_t nftnl_obj_get_u32(struct nftnl_obj *ne, uint16_t attr);
-uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr);
-const char *nftnl_obj_get_str(struct nftnl_obj *ne, uint16_t attr);
+const void *nftnl_obj_get(const struct nftnl_obj *ne, uint16_t attr);
+uint8_t nftnl_obj_get_u8(const struct nftnl_obj *ne, uint16_t attr);
+uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr);
+uint32_t nftnl_obj_get_u32(const struct nftnl_obj *ne, uint16_t attr);
+uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr);
+const char *nftnl_obj_get_str(const struct nftnl_obj *ne, uint16_t attr);
void nftnl_obj_nlmsg_build_payload(struct nlmsghdr *nlh,
const struct nftnl_obj *ne);
diff --git a/src/object.c b/src/object.c
index e94236e..a1a00d8 100644
--- a/src/object.c
+++ b/src/object.c
@@ -161,7 +161,7 @@ void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str)
}
EXPORT_SYMBOL(nftnl_obj_get_data);
-const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr,
+const void *nftnl_obj_get_data(const struct nftnl_obj *obj, uint16_t attr,
uint32_t *data_len)
{
if (!(obj->flags & (1 << attr)))
@@ -199,42 +199,42 @@ const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr,
}
EXPORT_SYMBOL(nftnl_obj_get);
-const void *nftnl_obj_get(struct nftnl_obj *obj, uint16_t attr)
+const void *nftnl_obj_get(const struct nftnl_obj *obj, uint16_t attr)
{
uint32_t data_len;
return nftnl_obj_get_data(obj, attr, &data_len);
}
EXPORT_SYMBOL(nftnl_obj_get_u8);
-uint8_t nftnl_obj_get_u8(struct nftnl_obj *obj, uint16_t attr)
+uint8_t nftnl_obj_get_u8(const struct nftnl_obj *obj, uint16_t attr)
{
const void *ret = nftnl_obj_get(obj, attr);
return ret == NULL ? 0 : *((uint8_t *)ret);
}
EXPORT_SYMBOL(nftnl_obj_get_u16);
-uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr)
+uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr)
{
const void *ret = nftnl_obj_get(obj, attr);
return ret == NULL ? 0 : *((uint16_t *)ret);
}
EXPORT_SYMBOL(nftnl_obj_get_u32);
-uint32_t nftnl_obj_get_u32(struct nftnl_obj *obj, uint16_t attr)
+uint32_t nftnl_obj_get_u32(const struct nftnl_obj *obj, uint16_t attr)
{
const void *ret = nftnl_obj_get(obj, attr);
return ret == NULL ? 0 : *((uint32_t *)ret);
}
EXPORT_SYMBOL(nftnl_obj_get_u64);
-uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr)
+uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr)
{
const void *ret = nftnl_obj_get(obj, attr);
return ret == NULL ? 0 : *((uint64_t *)ret);
}
EXPORT_SYMBOL(nftnl_obj_get_str);
-const char *nftnl_obj_get_str(struct nftnl_obj *obj, uint16_t attr)
+const char *nftnl_obj_get_str(const struct nftnl_obj *obj, uint16_t attr)
{
return nftnl_obj_get(obj, attr);
}

157
SOURCES/0022-obj-Return-value-on-setters.patch Normal file
View File

@ -0,0 +1,157 @@
From 7275fc782f822451b2cba5414037e1b0a1a59bf5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:41 +0200
Subject: [PATCH] obj: Return value on setters
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 691f90223712426a2babdb55d7e5526b7310ca6e
commit 691f90223712426a2babdb55d7e5526b7310ca6e
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 14 16:54:55 2024 +0100
obj: Return value on setters
Similar to other setters, let callers know if memory allocation fails.
Though return value with all setters, as all of them may be used to set
object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE
was not set before).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/libnftnl/object.h | 14 ++++++-------
src/object.c | 41 +++++++++++++++++++++++----------------
2 files changed, 31 insertions(+), 24 deletions(-)
diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index 4b2d90f..e235fdf 100644
--- a/include/libnftnl/object.h
+++ b/include/libnftnl/object.h
@@ -123,14 +123,14 @@ void nftnl_obj_free(const struct nftnl_obj *ne);
bool nftnl_obj_is_set(const struct nftnl_obj *ne, uint16_t attr);
void nftnl_obj_unset(struct nftnl_obj *ne, uint16_t attr);
-void nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data,
- uint32_t data_len);
+int nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data,
+ uint32_t data_len);
void nftnl_obj_set(struct nftnl_obj *ne, uint16_t attr, const void *data) __attribute__((deprecated));
-void nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val);
-void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val);
-void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val);
-void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val);
-void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str);
+int nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val);
+int nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val);
+int nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val);
+int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val);
+int nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str);
const void *nftnl_obj_get_data(const struct nftnl_obj *ne, uint16_t attr,
uint32_t *data_len);
const void *nftnl_obj_get(const struct nftnl_obj *ne, uint16_t attr);
diff --git a/src/object.c b/src/object.c
index a1a00d8..30e5ee8 100644
--- a/src/object.c
+++ b/src/object.c
@@ -77,8 +77,8 @@ static uint32_t nftnl_obj_validate[NFTNL_OBJ_MAX + 1] = {
};
EXPORT_SYMBOL(nftnl_obj_set_data);
-void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr,
- const void *data, uint32_t data_len)
+int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr,
+ const void *data, uint32_t data_len)
{
if (attr < NFTNL_OBJ_MAX)
nftnl_assert_validate(data, nftnl_obj_validate, attr, data_len);
@@ -87,15 +87,19 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr,
case NFTNL_OBJ_TABLE:
xfree(obj->table);
obj->table = strdup(data);
+ if (!obj->table)
+ return -1;
break;
case NFTNL_OBJ_NAME:
xfree(obj->name);
obj->name = strdup(data);
+ if (!obj->name)
+ return -1;
break;
case NFTNL_OBJ_TYPE:
obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data));
if (!obj->ops)
- return;
+ return -1;
break;
case NFTNL_OBJ_FAMILY:
memcpy(&obj->family, data, sizeof(obj->family));
@@ -112,16 +116,19 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr,
obj->user.data = malloc(data_len);
if (!obj->user.data)
- return;
+ return -1;
memcpy(obj->user.data, data, data_len);
obj->user.len = data_len;
break;
default:
- if (obj->ops)
- obj->ops->set(obj, attr, data, data_len);
- break;
+ if (!obj->ops)
+ return -1;
+
+ if (obj->ops->set(obj, attr, data, data_len) < 0)
+ return -1;
}
obj->flags |= (1 << attr);
+ return 0;
}
void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) __visible;
@@ -131,33 +138,33 @@ void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data)
}
EXPORT_SYMBOL(nftnl_obj_set_u8);
-void nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val)
+int nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val)
{
- nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t));
+ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t));
}
EXPORT_SYMBOL(nftnl_obj_set_u16);
-void nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val)
+int nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val)
{
- nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t));
+ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t));
}
EXPORT_SYMBOL(nftnl_obj_set_u32);
-void nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val)
+int nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val)
{
- nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t));
+ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t));
}
EXPORT_SYMBOL(nftnl_obj_set_u64);
-void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val)
+int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val)
{
- nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t));
+ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t));
}
EXPORT_SYMBOL(nftnl_obj_set_str);
-void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str)
+int nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str)
{
- nftnl_obj_set_data(obj, attr, str, strlen(str) + 1);
+ return nftnl_obj_set_data(obj, attr, str, strlen(str) + 1);
}
EXPORT_SYMBOL(nftnl_obj_get_data);

234
SOURCES/0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch Normal file
View File

@ -0,0 +1,234 @@
From 4a180882136a860773c86c507805ef01eb757dd8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:41 +0200
Subject: [PATCH] obj: Repurpose struct obj_ops::max_attr field
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit df4e259c0537fff58ecdc7b3ec1546fb2da93968
commit df4e259c0537fff58ecdc7b3ec1546fb2da93968
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 13:15:22 2024 +0100
obj: Repurpose struct obj_ops::max_attr field
Just like with struct expr_ops::max_attr, make it hold the maximum
object attribute (NFTNL_OBJ_*) value supported by this object type.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/libnftnl/object.h | 9 +++++++++
include/obj.h | 2 +-
src/obj/counter.c | 2 +-
src/obj/ct_expect.c | 2 +-
src/obj/ct_helper.c | 2 +-
src/obj/ct_timeout.c | 2 +-
src/obj/limit.c | 2 +-
src/obj/quota.c | 2 +-
src/obj/secmark.c | 2 +-
src/obj/synproxy.c | 2 +-
src/obj/tunnel.c | 2 +-
11 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index e235fdf..9930355 100644
--- a/include/libnftnl/object.h
+++ b/include/libnftnl/object.h
@@ -28,18 +28,21 @@ enum {
enum {
NFTNL_OBJ_CTR_PKTS = NFTNL_OBJ_BASE,
NFTNL_OBJ_CTR_BYTES,
+ __NFTNL_OBJ_CTR_MAX,
};
enum {
NFTNL_OBJ_QUOTA_BYTES = NFTNL_OBJ_BASE,
NFTNL_OBJ_QUOTA_CONSUMED,
NFTNL_OBJ_QUOTA_FLAGS,
+ __NFTNL_OBJ_QUOTA_MAX,
};
enum {
NFTNL_OBJ_CT_HELPER_NAME = NFTNL_OBJ_BASE,
NFTNL_OBJ_CT_HELPER_L3PROTO,
NFTNL_OBJ_CT_HELPER_L4PROTO,
+ __NFTNL_OBJ_CT_HELPER_MAX,
};
enum nftnl_cttimeout_array_tcp {
@@ -69,6 +72,7 @@ enum {
NFTNL_OBJ_CT_TIMEOUT_L3PROTO = NFTNL_OBJ_BASE,
NFTNL_OBJ_CT_TIMEOUT_L4PROTO,
NFTNL_OBJ_CT_TIMEOUT_ARRAY,
+ __NFTNL_OBJ_CT_TIMEOUT_MAX,
};
enum {
@@ -77,6 +81,7 @@ enum {
NFTNL_OBJ_CT_EXPECT_DPORT,
NFTNL_OBJ_CT_EXPECT_TIMEOUT,
NFTNL_OBJ_CT_EXPECT_SIZE,
+ __NFTNL_OBJ_CT_EXPECT_MAX,
};
enum {
@@ -85,12 +90,14 @@ enum {
NFTNL_OBJ_LIMIT_BURST,
NFTNL_OBJ_LIMIT_TYPE,
NFTNL_OBJ_LIMIT_FLAGS,
+ __NFTNL_OBJ_LIMIT_MAX,
};
enum {
NFTNL_OBJ_SYNPROXY_MSS = NFTNL_OBJ_BASE,
NFTNL_OBJ_SYNPROXY_WSCALE,
NFTNL_OBJ_SYNPROXY_FLAGS,
+ __NFTNL_OBJ_SYNPROXY_MAX,
};
enum {
@@ -110,10 +117,12 @@ enum {
NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX,
NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID,
NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR,
+ __NFTNL_OBJ_TUNNEL_MAX,
};
enum {
NFTNL_OBJ_SECMARK_CTX = NFTNL_OBJ_BASE,
+ __NFTNL_OBJ_SECMARK_MAX,
};
struct nftnl_obj;
diff --git a/include/obj.h b/include/obj.h
index d848ac9..6d2af8d 100644
--- a/include/obj.h
+++ b/include/obj.h
@@ -104,7 +104,7 @@ struct obj_ops {
const char *name;
uint32_t type;
size_t alloc_len;
- int max_attr;
+ int nftnl_max_attr;
int (*set)(struct nftnl_obj *e, uint16_t type, const void *data, uint32_t data_len);
const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len);
int (*parse)(struct nftnl_obj *e, struct nlattr *attr);
diff --git a/src/obj/counter.c b/src/obj/counter.c
index ebf3e74..76a1b20 100644
--- a/src/obj/counter.c
+++ b/src/obj/counter.c
@@ -122,7 +122,7 @@ struct obj_ops obj_ops_counter = {
.name = "counter",
.type = NFT_OBJECT_COUNTER,
.alloc_len = sizeof(struct nftnl_obj_counter),
- .max_attr = NFTA_COUNTER_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_CTR_MAX - 1,
.set = nftnl_obj_counter_set,
.get = nftnl_obj_counter_get,
.parse = nftnl_obj_counter_parse,
diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c
index 810ba9a..7e9c5e1 100644
--- a/src/obj/ct_expect.c
+++ b/src/obj/ct_expect.c
@@ -191,7 +191,7 @@ struct obj_ops obj_ops_ct_expect = {
.name = "ct_expect",
.type = NFT_OBJECT_CT_EXPECT,
.alloc_len = sizeof(struct nftnl_obj_ct_expect),
- .max_attr = NFTA_CT_EXPECT_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_CT_EXPECT_MAX - 1,
.set = nftnl_obj_ct_expect_set,
.get = nftnl_obj_ct_expect_get,
.parse = nftnl_obj_ct_expect_parse,
diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c
index a31bd6f..f8aa734 100644
--- a/src/obj/ct_helper.c
+++ b/src/obj/ct_helper.c
@@ -145,7 +145,7 @@ struct obj_ops obj_ops_ct_helper = {
.name = "ct_helper",
.type = NFT_OBJECT_CT_HELPER,
.alloc_len = sizeof(struct nftnl_obj_ct_helper),
- .max_attr = NFTA_CT_HELPER_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_CT_HELPER_MAX - 1,
.set = nftnl_obj_ct_helper_set,
.get = nftnl_obj_ct_helper_get,
.parse = nftnl_obj_ct_helper_parse,
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
index fedf9e3..ee86231 100644
--- a/src/obj/ct_timeout.c
+++ b/src/obj/ct_timeout.c
@@ -314,7 +314,7 @@ struct obj_ops obj_ops_ct_timeout = {
.name = "ct_timeout",
.type = NFT_OBJECT_CT_TIMEOUT,
.alloc_len = sizeof(struct nftnl_obj_ct_timeout),
- .max_attr = NFTA_CT_TIMEOUT_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_CT_TIMEOUT_MAX - 1,
.set = nftnl_obj_ct_timeout_set,
.get = nftnl_obj_ct_timeout_get,
.parse = nftnl_obj_ct_timeout_parse,
diff --git a/src/obj/limit.c b/src/obj/limit.c
index d7b1aed..1c54bbc 100644
--- a/src/obj/limit.c
+++ b/src/obj/limit.c
@@ -163,7 +163,7 @@ struct obj_ops obj_ops_limit = {
.name = "limit",
.type = NFT_OBJECT_LIMIT,
.alloc_len = sizeof(struct nftnl_obj_limit),
- .max_attr = NFTA_LIMIT_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_LIMIT_MAX - 1,
.set = nftnl_obj_limit_set,
.get = nftnl_obj_limit_get,
.parse = nftnl_obj_limit_parse,
diff --git a/src/obj/quota.c b/src/obj/quota.c
index 6c7559a..a39d552 100644
--- a/src/obj/quota.c
+++ b/src/obj/quota.c
@@ -139,7 +139,7 @@ struct obj_ops obj_ops_quota = {
.name = "quota",
.type = NFT_OBJECT_QUOTA,
.alloc_len = sizeof(struct nftnl_obj_quota),
- .max_attr = NFTA_QUOTA_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_QUOTA_MAX - 1,
.set = nftnl_obj_quota_set,
.get = nftnl_obj_quota_get,
.parse = nftnl_obj_quota_parse,
diff --git a/src/obj/secmark.c b/src/obj/secmark.c
index e5c24b3..c78e35f 100644
--- a/src/obj/secmark.c
+++ b/src/obj/secmark.c
@@ -111,7 +111,7 @@ struct obj_ops obj_ops_secmark = {
.name = "secmark",
.type = NFT_OBJECT_SECMARK,
.alloc_len = sizeof(struct nftnl_obj_secmark),
- .max_attr = NFTA_SECMARK_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_SECMARK_MAX - 1,
.set = nftnl_obj_secmark_set,
.get = nftnl_obj_secmark_get,
.parse = nftnl_obj_secmark_parse,
diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c
index 4ef97ec..d259a51 100644
--- a/src/obj/synproxy.c
+++ b/src/obj/synproxy.c
@@ -138,7 +138,7 @@ struct obj_ops obj_ops_synproxy = {
.name = "synproxy",
.type = NFT_OBJECT_SYNPROXY,
.alloc_len = sizeof(struct nftnl_obj_synproxy),
- .max_attr = NFTA_SYNPROXY_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_SYNPROXY_MAX - 1,
.set = nftnl_obj_synproxy_set,
.get = nftnl_obj_synproxy_get,
.parse = nftnl_obj_synproxy_parse,
diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c
index d2503dc..19a3639 100644
--- a/src/obj/tunnel.c
+++ b/src/obj/tunnel.c
@@ -542,7 +542,7 @@ struct obj_ops obj_ops_tunnel = {
.name = "tunnel",
.type = NFT_OBJECT_TUNNEL,
.alloc_len = sizeof(struct nftnl_obj_tunnel),
- .max_attr = NFTA_TUNNEL_KEY_MAX,
+ .nftnl_max_attr = __NFTNL_OBJ_TUNNEL_MAX - 1,
.set = nftnl_obj_tunnel_set,
.get = nftnl_obj_tunnel_get,
.parse = nftnl_obj_tunnel_parse,

168
SOURCES/0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch Normal file
View File

@ -0,0 +1,168 @@
From 0203ccf90e6f8a246a5a071e903ab0d89acf2bad Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:41 +0200
Subject: [PATCH] obj: Call obj_ops::set with legal attributes only
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 410c245e4811d7888daa456547af58d93d1c63b4
commit 410c245e4811d7888daa456547af58d93d1c63b4
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 13:25:31 2024 +0100
obj: Call obj_ops::set with legal attributes only
Refer to obj_ops::nftnl_max_attr field value for the maximum supported
attribute value to reject invalid ones upfront.
Consequently drop default cases from callbacks' switches which handle
all supported attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/obj/counter.c | 2 --
src/obj/ct_expect.c | 2 --
src/obj/ct_helper.c | 2 --
src/obj/ct_timeout.c | 2 --
src/obj/limit.c | 2 --
src/obj/quota.c | 2 --
src/obj/secmark.c | 2 --
src/obj/synproxy.c | 2 --
src/obj/tunnel.c | 2 --
src/object.c | 4 +++-
10 files changed, 3 insertions(+), 19 deletions(-)
diff --git a/src/obj/counter.c b/src/obj/counter.c
index 76a1b20..982da2c 100644
--- a/src/obj/counter.c
+++ b/src/obj/counter.c
@@ -34,8 +34,6 @@ nftnl_obj_counter_set(struct nftnl_obj *e, uint16_t type,
case NFTNL_OBJ_CTR_PKTS:
memcpy(&ctr->pkts, data, sizeof(ctr->pkts));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c
index 7e9c5e1..60014dc 100644
--- a/src/obj/ct_expect.c
+++ b/src/obj/ct_expect.c
@@ -35,8 +35,6 @@ static int nftnl_obj_ct_expect_set(struct nftnl_obj *e, uint16_t type,
case NFTNL_OBJ_CT_EXPECT_SIZE:
memcpy(&exp->size, data, sizeof(exp->size));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c
index f8aa734..b8b05fd 100644
--- a/src/obj/ct_helper.c
+++ b/src/obj/ct_helper.c
@@ -37,8 +37,6 @@ static int nftnl_obj_ct_helper_set(struct nftnl_obj *e, uint16_t type,
case NFTNL_OBJ_CT_HELPER_L4PROTO:
memcpy(&helper->l4proto, data, sizeof(helper->l4proto));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
index ee86231..011d928 100644
--- a/src/obj/ct_timeout.c
+++ b/src/obj/ct_timeout.c
@@ -162,8 +162,6 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type,
memcpy(timeout->timeout, data,
sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX);
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/obj/limit.c b/src/obj/limit.c
index 1c54bbc..83cb193 100644
--- a/src/obj/limit.c
+++ b/src/obj/limit.c
@@ -42,8 +42,6 @@ static int nftnl_obj_limit_set(struct nftnl_obj *e, uint16_t type,
case NFTNL_OBJ_LIMIT_FLAGS:
memcpy(&limit->flags, data, sizeof(limit->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/obj/quota.c b/src/obj/quota.c
index a39d552..665d7ca 100644
--- a/src/obj/quota.c
+++ b/src/obj/quota.c
@@ -36,8 +36,6 @@ static int nftnl_obj_quota_set(struct nftnl_obj *e, uint16_t type,
case NFTNL_OBJ_QUOTA_FLAGS:
memcpy(&quota->flags, data, sizeof(quota->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/obj/secmark.c b/src/obj/secmark.c
index c78e35f..83cd1dc 100644
--- a/src/obj/secmark.c
+++ b/src/obj/secmark.c
@@ -30,8 +30,6 @@ static int nftnl_obj_secmark_set(struct nftnl_obj *e, uint16_t type,
case NFTNL_OBJ_SECMARK_CTX:
snprintf(secmark->ctx, sizeof(secmark->ctx), "%s", (const char *)data);
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c
index d259a51..f7c7762 100644
--- a/src/obj/synproxy.c
+++ b/src/obj/synproxy.c
@@ -27,8 +27,6 @@ static int nftnl_obj_synproxy_set(struct nftnl_obj *e, uint16_t type,
case NFTNL_OBJ_SYNPROXY_FLAGS:
memcpy(&synproxy->flags, data, data_len);
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c
index 19a3639..72985ee 100644
--- a/src/obj/tunnel.c
+++ b/src/obj/tunnel.c
@@ -76,8 +76,6 @@ nftnl_obj_tunnel_set(struct nftnl_obj *e, uint16_t type,
case NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR:
memcpy(&tun->u.tun_erspan.u.v2.dir, data, sizeof(tun->u.tun_erspan.u.v2.dir));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/object.c b/src/object.c
index 30e5ee8..52a184e 100644
--- a/src/object.c
+++ b/src/object.c
@@ -121,7 +121,9 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr,
obj->user.len = data_len;
break;
default:
- if (!obj->ops)
+ if (!obj->ops ||
+ attr < NFTNL_OBJ_BASE ||
+ attr > obj->ops->nftnl_max_attr)
return -1;
if (obj->ops->set(obj, attr, data, data_len) < 0)

272
SOURCES/0025-obj-Introduce-struct-obj_ops-attr_policy.patch Normal file
View File

@ -0,0 +1,272 @@
From 569a847a23ba79cf67570fc44569cdb3c816f027 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:41 +0200
Subject: [PATCH] obj: Introduce struct obj_ops::attr_policy
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit f8348db87791bb8061b7f9ecf856e835ab74d006
commit f8348db87791bb8061b7f9ecf856e835ab74d006
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 13:46:26 2024 +0100
obj: Introduce struct obj_ops::attr_policy
Just like with struct expr_ops::attr_policy, enable object types to
inform about restrictions on attribute use. This way generic object code
may perform sanity checks before dispatching to object ops.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/obj.h | 1 +
src/obj/counter.c | 6 ++++++
src/obj/ct_expect.c | 10 ++++++++++
src/obj/ct_helper.c | 11 +++++++++++
src/obj/ct_timeout.c | 7 +++++++
src/obj/limit.c | 9 +++++++++
src/obj/quota.c | 7 +++++++
src/obj/secmark.c | 5 +++++
src/obj/synproxy.c | 7 +++++++
src/obj/tunnel.c | 20 ++++++++++++++++++++
10 files changed, 83 insertions(+)
diff --git a/include/obj.h b/include/obj.h
index 6d2af8d..d217737 100644
--- a/include/obj.h
+++ b/include/obj.h
@@ -105,6 +105,7 @@ struct obj_ops {
uint32_t type;
size_t alloc_len;
int nftnl_max_attr;
+ struct attr_policy *attr_policy;
int (*set)(struct nftnl_obj *e, uint16_t type, const void *data, uint32_t data_len);
const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len);
int (*parse)(struct nftnl_obj *e, struct nlattr *attr);
diff --git a/src/obj/counter.c b/src/obj/counter.c
index 982da2c..44524d7 100644
--- a/src/obj/counter.c
+++ b/src/obj/counter.c
@@ -116,11 +116,17 @@ static int nftnl_obj_counter_snprintf(char *buf, size_t len, uint32_t flags,
ctr->pkts, ctr->bytes);
}
+static struct attr_policy obj_ctr_attr_policy[__NFTNL_OBJ_CTR_MAX] = {
+ [NFTNL_OBJ_CTR_BYTES] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_OBJ_CTR_PKTS] = { .maxlen = sizeof(uint64_t) },
+};
+
struct obj_ops obj_ops_counter = {
.name = "counter",
.type = NFT_OBJECT_COUNTER,
.alloc_len = sizeof(struct nftnl_obj_counter),
.nftnl_max_attr = __NFTNL_OBJ_CTR_MAX - 1,
+ .attr_policy = obj_ctr_attr_policy,
.set = nftnl_obj_counter_set,
.get = nftnl_obj_counter_get,
.parse = nftnl_obj_counter_parse,
diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c
index 60014dc..978af15 100644
--- a/src/obj/ct_expect.c
+++ b/src/obj/ct_expect.c
@@ -185,11 +185,21 @@ static int nftnl_obj_ct_expect_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy
+obj_ct_expect_attr_policy[__NFTNL_OBJ_CT_EXPECT_MAX] = {
+ [NFTNL_OBJ_CT_EXPECT_L3PROTO] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_OBJ_CT_EXPECT_L4PROTO] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_OBJ_CT_EXPECT_DPORT] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_OBJ_CT_EXPECT_TIMEOUT] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_CT_EXPECT_SIZE] = { .maxlen = sizeof(uint8_t) },
+};
+
struct obj_ops obj_ops_ct_expect = {
.name = "ct_expect",
.type = NFT_OBJECT_CT_EXPECT,
.alloc_len = sizeof(struct nftnl_obj_ct_expect),
.nftnl_max_attr = __NFTNL_OBJ_CT_EXPECT_MAX - 1,
+ .attr_policy = obj_ct_expect_attr_policy,
.set = nftnl_obj_ct_expect_set,
.get = nftnl_obj_ct_expect_get,
.parse = nftnl_obj_ct_expect_parse,
diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c
index b8b05fd..aa8e926 100644
--- a/src/obj/ct_helper.c
+++ b/src/obj/ct_helper.c
@@ -139,11 +139,22 @@ static int nftnl_obj_ct_helper_snprintf(char *buf, size_t len,
helper->name, helper->l3proto, helper->l4proto);
}
+/* from kernel's include/net/netfilter/nf_conntrack_helper.h */
+#define NF_CT_HELPER_NAME_LEN 16
+
+static struct attr_policy
+obj_ct_helper_attr_policy[__NFTNL_OBJ_CT_HELPER_MAX] = {
+ [NFTNL_OBJ_CT_HELPER_NAME] = { .maxlen = NF_CT_HELPER_NAME_LEN },
+ [NFTNL_OBJ_CT_HELPER_L3PROTO] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_OBJ_CT_HELPER_L4PROTO] = { .maxlen = sizeof(uint8_t) },
+};
+
struct obj_ops obj_ops_ct_helper = {
.name = "ct_helper",
.type = NFT_OBJECT_CT_HELPER,
.alloc_len = sizeof(struct nftnl_obj_ct_helper),
.nftnl_max_attr = __NFTNL_OBJ_CT_HELPER_MAX - 1,
+ .attr_policy = obj_ct_helper_attr_policy,
.set = nftnl_obj_ct_helper_set,
.get = nftnl_obj_ct_helper_get,
.parse = nftnl_obj_ct_helper_parse,
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
index 011d928..88522d8 100644
--- a/src/obj/ct_timeout.c
+++ b/src/obj/ct_timeout.c
@@ -308,11 +308,18 @@ static int nftnl_obj_ct_timeout_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy
+obj_ct_timeout_attr_policy[__NFTNL_OBJ_CT_TIMEOUT_MAX] = {
+ [NFTNL_OBJ_CT_TIMEOUT_L3PROTO] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_OBJ_CT_TIMEOUT_L4PROTO] = { .maxlen = sizeof(uint8_t) },
+};
+
struct obj_ops obj_ops_ct_timeout = {
.name = "ct_timeout",
.type = NFT_OBJECT_CT_TIMEOUT,
.alloc_len = sizeof(struct nftnl_obj_ct_timeout),
.nftnl_max_attr = __NFTNL_OBJ_CT_TIMEOUT_MAX - 1,
+ .attr_policy = obj_ct_timeout_attr_policy,
.set = nftnl_obj_ct_timeout_set,
.get = nftnl_obj_ct_timeout_get,
.parse = nftnl_obj_ct_timeout_parse,
diff --git a/src/obj/limit.c b/src/obj/limit.c
index 83cb193..0c7362e 100644
--- a/src/obj/limit.c
+++ b/src/obj/limit.c
@@ -157,11 +157,20 @@ static int nftnl_obj_limit_snprintf(char *buf, size_t len,
limit->burst, limit->type, limit->flags);
}
+static struct attr_policy obj_limit_attr_policy[__NFTNL_OBJ_LIMIT_MAX] = {
+ [NFTNL_OBJ_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_OBJ_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_OBJ_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct obj_ops obj_ops_limit = {
.name = "limit",
.type = NFT_OBJECT_LIMIT,
.alloc_len = sizeof(struct nftnl_obj_limit),
.nftnl_max_attr = __NFTNL_OBJ_LIMIT_MAX - 1,
+ .attr_policy = obj_limit_attr_policy,
.set = nftnl_obj_limit_set,
.get = nftnl_obj_limit_get,
.parse = nftnl_obj_limit_parse,
diff --git a/src/obj/quota.c b/src/obj/quota.c
index 665d7ca..b48ba91 100644
--- a/src/obj/quota.c
+++ b/src/obj/quota.c
@@ -133,11 +133,18 @@ static int nftnl_obj_quota_snprintf(char *buf, size_t len,
quota->bytes, quota->flags);
}
+static struct attr_policy obj_quota_attr_policy[__NFTNL_OBJ_QUOTA_MAX] = {
+ [NFTNL_OBJ_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_OBJ_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_OBJ_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct obj_ops obj_ops_quota = {
.name = "quota",
.type = NFT_OBJECT_QUOTA,
.alloc_len = sizeof(struct nftnl_obj_quota),
.nftnl_max_attr = __NFTNL_OBJ_QUOTA_MAX - 1,
+ .attr_policy = obj_quota_attr_policy,
.set = nftnl_obj_quota_set,
.get = nftnl_obj_quota_get,
.parse = nftnl_obj_quota_parse,
diff --git a/src/obj/secmark.c b/src/obj/secmark.c
index 83cd1dc..eea9664 100644
--- a/src/obj/secmark.c
+++ b/src/obj/secmark.c
@@ -105,11 +105,16 @@ static int nftnl_obj_secmark_snprintf(char *buf, size_t len,
return snprintf(buf, len, "context %s ", secmark->ctx);
}
+static struct attr_policy obj_secmark_attr_policy[__NFTNL_OBJ_SECMARK_MAX] = {
+ [NFTNL_OBJ_SECMARK_CTX] = { .maxlen = NFT_SECMARK_CTX_MAXLEN },
+};
+
struct obj_ops obj_ops_secmark = {
.name = "secmark",
.type = NFT_OBJECT_SECMARK,
.alloc_len = sizeof(struct nftnl_obj_secmark),
.nftnl_max_attr = __NFTNL_OBJ_SECMARK_MAX - 1,
+ .attr_policy = obj_secmark_attr_policy,
.set = nftnl_obj_secmark_set,
.get = nftnl_obj_secmark_get,
.parse = nftnl_obj_secmark_parse,
diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c
index f7c7762..65fbcf7 100644
--- a/src/obj/synproxy.c
+++ b/src/obj/synproxy.c
@@ -132,11 +132,18 @@ static int nftnl_obj_synproxy_snprintf(char *buf, size_t len,
return offset;
}
+static struct attr_policy obj_synproxy_attr_policy[__NFTNL_OBJ_SYNPROXY_MAX] = {
+ [NFTNL_OBJ_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_OBJ_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_OBJ_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct obj_ops obj_ops_synproxy = {
.name = "synproxy",
.type = NFT_OBJECT_SYNPROXY,
.alloc_len = sizeof(struct nftnl_obj_synproxy),
.nftnl_max_attr = __NFTNL_OBJ_SYNPROXY_MAX - 1,
+ .attr_policy = obj_synproxy_attr_policy,
.set = nftnl_obj_synproxy_set,
.get = nftnl_obj_synproxy_get,
.parse = nftnl_obj_synproxy_parse,
diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c
index 72985ee..07b3b2a 100644
--- a/src/obj/tunnel.c
+++ b/src/obj/tunnel.c
@@ -536,11 +536,31 @@ static int nftnl_obj_tunnel_snprintf(char *buf, size_t len,
return snprintf(buf, len, "id %u ", tun->id);
}
+static struct attr_policy obj_tunnel_attr_policy[__NFTNL_OBJ_TUNNEL_MAX] = {
+ [NFTNL_OBJ_TUNNEL_ID] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_TUNNEL_IPV4_SRC] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_TUNNEL_IPV4_DST] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_TUNNEL_IPV6_SRC] = { .maxlen = sizeof(struct in6_addr) },
+ [NFTNL_OBJ_TUNNEL_IPV6_DST] = { .maxlen = sizeof(struct in6_addr) },
+ [NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_TUNNEL_SPORT] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_OBJ_TUNNEL_DPORT] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_OBJ_TUNNEL_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_TUNNEL_TOS] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_OBJ_TUNNEL_TTL] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_OBJ_TUNNEL_VXLAN_GBP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_TUNNEL_ERSPAN_VERSION] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR] = { .maxlen = sizeof(uint8_t) },
+};
+
struct obj_ops obj_ops_tunnel = {
.name = "tunnel",
.type = NFT_OBJECT_TUNNEL,
.alloc_len = sizeof(struct nftnl_obj_tunnel),
.nftnl_max_attr = __NFTNL_OBJ_TUNNEL_MAX - 1,
+ .attr_policy = obj_tunnel_attr_policy,
.set = nftnl_obj_tunnel_set,
.get = nftnl_obj_tunnel_get,
.parse = nftnl_obj_tunnel_parse,

43
SOURCES/0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch Normal file
View File

@ -0,0 +1,43 @@
From c67dacb6c402c95eb6331a36ba1fbca1a3ee2257 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:41 +0200
Subject: [PATCH] obj: Enforce attr_policy compliance in nftnl_obj_set_data()
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit 5d94baba0f43426120ce025aacaa74406659ad7f
commit 5d94baba0f43426120ce025aacaa74406659ad7f
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 13:56:14 2024 +0100
obj: Enforce attr_policy compliance in nftnl_obj_set_data()
Every object type defines an attr_policy array, so deny setting
attributes for object types which don't have it present or if it
specifies a non-zero maxlen which is lower than the given data_len.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/object.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/object.c b/src/object.c
index 52a184e..b653732 100644
--- a/src/object.c
+++ b/src/object.c
@@ -123,7 +123,12 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr,
default:
if (!obj->ops ||
attr < NFTNL_OBJ_BASE ||
- attr > obj->ops->nftnl_max_attr)
+ attr > obj->ops->nftnl_max_attr ||
+ !obj->ops->attr_policy)
+ return -1;
+
+ if (obj->ops->attr_policy[attr].maxlen &&
+ obj->ops->attr_policy[attr].maxlen < data_len)
return -1;
if (obj->ops->set(obj, attr, data, data_len) < 0)

251
SOURCES/0027-utils-Introduce-and-use-nftnl_set_str_attr.patch Normal file
View File

@ -0,0 +1,251 @@
From 7285bf672df47b130e4ff3afd481bf4973cede5e Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:41 +0200
Subject: [PATCH] utils: Introduce and use nftnl_set_str_attr()
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit bb5e75be9d28c37096c90d9ae9fcc7ad0841f2c2
commit bb5e75be9d28c37096c90d9ae9fcc7ad0841f2c2
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 14:07:21 2024 +0100
utils: Introduce and use nftnl_set_str_attr()
The function consolidates the necessary code when assigning to string
pointer attributes, namely:
* Conditional free of the previous value
* Allocation of new value
* Checking for memory allocation errors
* Setting respective flag bit
A new feature previously missing in all call sites is respecting
data_len in case the buffer up to that point did not contain a NUL-char.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/chain.c | 36 ++++++++----------------------------
src/flowtable.c | 17 ++++-------------
src/object.c | 13 ++++---------
src/rule.c | 18 ++++--------------
src/set.c | 18 ++++--------------
src/table.c | 9 ++-------
src/utils.c | 14 ++++++++++++++
7 files changed, 40 insertions(+), 85 deletions(-)
diff --git a/src/chain.c b/src/chain.c
index e0b1eaf..c7026f4 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -217,21 +217,11 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr,
switch(attr) {
case NFTNL_CHAIN_NAME:
- if (c->flags & (1 << NFTNL_CHAIN_NAME))
- xfree(c->name);
-
- c->name = strdup(data);
- if (!c->name)
- return -1;
- break;
+ return nftnl_set_str_attr(&c->name, &c->flags,
+ attr, data, data_len);
case NFTNL_CHAIN_TABLE:
- if (c->flags & (1 << NFTNL_CHAIN_TABLE))
- xfree(c->table);
-
- c->table = strdup(data);
- if (!c->table)
- return -1;
- break;
+ return nftnl_set_str_attr(&c->table, &c->flags,
+ attr, data, data_len);
case NFTNL_CHAIN_HOOKNUM:
memcpy(&c->hooknum, data, sizeof(c->hooknum));
break;
@@ -257,21 +247,11 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr,
memcpy(&c->family, data, sizeof(c->family));
break;
case NFTNL_CHAIN_TYPE:
- if (c->flags & (1 << NFTNL_CHAIN_TYPE))
- xfree(c->type);
-
- c->type = strdup(data);
- if (!c->type)
- return -1;
- break;
+ return nftnl_set_str_attr(&c->type, &c->flags,
+ attr, data, data_len);
case NFTNL_CHAIN_DEV:
- if (c->flags & (1 << NFTNL_CHAIN_DEV))
- xfree(c->dev);
-
- c->dev = strdup(data);
- if (!c->dev)
- return -1;
- break;
+ return nftnl_set_str_attr(&c->dev, &c->flags,
+ attr, data, data_len);
case NFTNL_CHAIN_DEVICES:
dev_array = (const char **)data;
while (dev_array[len] != NULL)
diff --git a/src/flowtable.c b/src/flowtable.c
index 2f37cd4..41a1456 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -119,20 +119,11 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
switch(attr) {
case NFTNL_FLOWTABLE_NAME:
- if (c->flags & (1 << NFTNL_FLOWTABLE_NAME))
- xfree(c->name);
-
- c->name = strdup(data);
- if (!c->name)
- return -1;
- break;
+ return nftnl_set_str_attr(&c->name, &c->flags,
+ attr, data, data_len);
case NFTNL_FLOWTABLE_TABLE:
- if (c->flags & (1 << NFTNL_FLOWTABLE_TABLE))
- xfree(c->table);
-
- c->table = strdup(data);
- if (!c->table)
- return -1;
+ return nftnl_set_str_attr(&c->table, &c->flags,
+ attr, data, data_len);
break;
case NFTNL_FLOWTABLE_HOOKNUM:
memcpy(&c->hooknum, data, sizeof(c->hooknum));
diff --git a/src/object.c b/src/object.c
index b653732..79b41eb 100644
--- a/src/object.c
+++ b/src/object.c
@@ -85,17 +85,12 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr,
switch (attr) {
case NFTNL_OBJ_TABLE:
- xfree(obj->table);
- obj->table = strdup(data);
- if (!obj->table)
- return -1;
+ return nftnl_set_str_attr(&obj->table, &obj->flags,
+ attr, data, data_len);
break;
case NFTNL_OBJ_NAME:
- xfree(obj->name);
- obj->name = strdup(data);
- if (!obj->name)
- return -1;
- break;
+ return nftnl_set_str_attr(&obj->name, &obj->flags,
+ attr, data, data_len);
case NFTNL_OBJ_TYPE:
obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data));
if (!obj->ops)
diff --git a/src/rule.c b/src/rule.c
index a52012b..e16e2c1 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -115,21 +115,11 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
switch(attr) {
case NFTNL_RULE_TABLE:
- if (r->flags & (1 << NFTNL_RULE_TABLE))
- xfree(r->table);
-
- r->table = strdup(data);
- if (!r->table)
- return -1;
- break;
+ return nftnl_set_str_attr(&r->table, &r->flags,
+ attr, data, data_len);
case NFTNL_RULE_CHAIN:
- if (r->flags & (1 << NFTNL_RULE_CHAIN))
- xfree(r->chain);
-
- r->chain = strdup(data);
- if (!r->chain)
- return -1;
- break;
+ return nftnl_set_str_attr(&r->chain, &r->flags,
+ attr, data, data_len);
case NFTNL_RULE_HANDLE:
memcpy(&r->handle, data, sizeof(r->handle));
break;
diff --git a/src/set.c b/src/set.c
index a732bc0..07e332d 100644
--- a/src/set.c
+++ b/src/set.c
@@ -146,21 +146,11 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
switch(attr) {
case NFTNL_SET_TABLE:
- if (s->flags & (1 << NFTNL_SET_TABLE))
- xfree(s->table);
-
- s->table = strdup(data);
- if (!s->table)
- return -1;
- break;
+ return nftnl_set_str_attr(&s->table, &s->flags,
+ attr, data, data_len);
case NFTNL_SET_NAME:
- if (s->flags & (1 << NFTNL_SET_NAME))
- xfree(s->name);
-
- s->name = strdup(data);
- if (!s->name)
- return -1;
- break;
+ return nftnl_set_str_attr(&s->name, &s->flags,
+ attr, data, data_len);
case NFTNL_SET_HANDLE:
memcpy(&s->handle, data, sizeof(s->handle));
break;
diff --git a/src/table.c b/src/table.c
index 4f48e8c..13f01cf 100644
--- a/src/table.c
+++ b/src/table.c
@@ -101,13 +101,8 @@ int nftnl_table_set_data(struct nftnl_table *t, uint16_t attr,
switch (attr) {
case NFTNL_TABLE_NAME:
- if (t->flags & (1 << NFTNL_TABLE_NAME))
- xfree(t->name);
-
- t->name = strdup(data);
- if (!t->name)
- return -1;
- break;
+ return nftnl_set_str_attr(&t->name, &t->flags,
+ attr, data, data_len);
case NFTNL_TABLE_HANDLE:
memcpy(&t->handle, data, sizeof(t->handle));
break;
diff --git a/src/utils.c b/src/utils.c
index 3617837..a0f03da 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -330,3 +330,17 @@ void __noreturn __abi_breakage(const char *file, int line, const char *reason)
"%s:%d reason: %s\n", file, line, reason);
exit(EXIT_FAILURE);
}
+
+int nftnl_set_str_attr(const char **dptr, uint32_t *flags,
+ uint16_t attr, const void *data, uint32_t data_len)
+{
+ if (*flags & (1 << attr))
+ xfree(*dptr);
+
+ *dptr = strndup(data, data_len);
+ if (!*dptr)
+ return -1;
+
+ *flags |= (1 << attr);
+ return 0;
+}

234
SOURCES/0028-obj-Respect-data_len-when-setting-attributes.patch Normal file
View File

@ -0,0 +1,234 @@
From a75cd0ecf866513625346ddfcedb366af91e6f03 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:41 +0200
Subject: [PATCH] obj: Respect data_len when setting attributes
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit c48ac8cba8716a8bc4ff713ee965eee2643cfc31
commit c48ac8cba8716a8bc4ff713ee965eee2643cfc31
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 14:34:18 2024 +0100
obj: Respect data_len when setting attributes
With attr_policy in place, data_len has an upper boundary. Use it for
memcpy() calls to cover for caller passing data with lower size than the
attribute's storage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/obj/counter.c | 4 ++--
src/obj/ct_expect.c | 10 +++++-----
src/obj/ct_helper.c | 4 ++--
src/obj/ct_timeout.c | 4 ++--
src/obj/limit.c | 10 +++++-----
src/obj/quota.c | 6 +++---
src/obj/tunnel.c | 32 ++++++++++++++++----------------
7 files changed, 35 insertions(+), 35 deletions(-)
diff --git a/src/obj/counter.c b/src/obj/counter.c
index 44524d7..19e09ed 100644
--- a/src/obj/counter.c
+++ b/src/obj/counter.c
@@ -29,10 +29,10 @@ nftnl_obj_counter_set(struct nftnl_obj *e, uint16_t type,
switch(type) {
case NFTNL_OBJ_CTR_BYTES:
- memcpy(&ctr->bytes, data, sizeof(ctr->bytes));
+ memcpy(&ctr->bytes, data, data_len);
break;
case NFTNL_OBJ_CTR_PKTS:
- memcpy(&ctr->pkts, data, sizeof(ctr->pkts));
+ memcpy(&ctr->pkts, data, data_len);
break;
}
return 0;
diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c
index 978af15..b4d6faa 100644
--- a/src/obj/ct_expect.c
+++ b/src/obj/ct_expect.c
@@ -21,19 +21,19 @@ static int nftnl_obj_ct_expect_set(struct nftnl_obj *e, uint16_t type,
switch (type) {
case NFTNL_OBJ_CT_EXPECT_L3PROTO:
- memcpy(&exp->l3proto, data, sizeof(exp->l3proto));
+ memcpy(&exp->l3proto, data, data_len);
break;
case NFTNL_OBJ_CT_EXPECT_L4PROTO:
- memcpy(&exp->l4proto, data, sizeof(exp->l4proto));
+ memcpy(&exp->l4proto, data, data_len);
break;
case NFTNL_OBJ_CT_EXPECT_DPORT:
- memcpy(&exp->dport, data, sizeof(exp->dport));
+ memcpy(&exp->dport, data, data_len);
break;
case NFTNL_OBJ_CT_EXPECT_TIMEOUT:
- memcpy(&exp->timeout, data, sizeof(exp->timeout));
+ memcpy(&exp->timeout, data, data_len);
break;
case NFTNL_OBJ_CT_EXPECT_SIZE:
- memcpy(&exp->size, data, sizeof(exp->size));
+ memcpy(&exp->size, data, data_len);
break;
}
return 0;
diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c
index aa8e926..1feccf2 100644
--- a/src/obj/ct_helper.c
+++ b/src/obj/ct_helper.c
@@ -32,10 +32,10 @@ static int nftnl_obj_ct_helper_set(struct nftnl_obj *e, uint16_t type,
snprintf(helper->name, sizeof(helper->name), "%s", (const char *)data);
break;
case NFTNL_OBJ_CT_HELPER_L3PROTO:
- memcpy(&helper->l3proto, data, sizeof(helper->l3proto));
+ memcpy(&helper->l3proto, data, data_len);
break;
case NFTNL_OBJ_CT_HELPER_L4PROTO:
- memcpy(&helper->l4proto, data, sizeof(helper->l4proto));
+ memcpy(&helper->l4proto, data, data_len);
break;
}
return 0;
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
index 88522d8..b9b688e 100644
--- a/src/obj/ct_timeout.c
+++ b/src/obj/ct_timeout.c
@@ -150,10 +150,10 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type,
switch (type) {
case NFTNL_OBJ_CT_TIMEOUT_L3PROTO:
- memcpy(&timeout->l3proto, data, sizeof(timeout->l3proto));
+ memcpy(&timeout->l3proto, data, data_len);
break;
case NFTNL_OBJ_CT_TIMEOUT_L4PROTO:
- memcpy(&timeout->l4proto, data, sizeof(timeout->l4proto));
+ memcpy(&timeout->l4proto, data, data_len);
break;
case NFTNL_OBJ_CT_TIMEOUT_ARRAY:
if (data_len < sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX)
diff --git a/src/obj/limit.c b/src/obj/limit.c
index 0c7362e..cbf30b4 100644
--- a/src/obj/limit.c
+++ b/src/obj/limit.c
@@ -28,19 +28,19 @@ static int nftnl_obj_limit_set(struct nftnl_obj *e, uint16_t type,
switch (type) {
case NFTNL_OBJ_LIMIT_RATE:
- memcpy(&limit->rate, data, sizeof(limit->rate));
+ memcpy(&limit->rate, data, data_len);
break;
case NFTNL_OBJ_LIMIT_UNIT:
- memcpy(&limit->unit, data, sizeof(limit->unit));
+ memcpy(&limit->unit, data, data_len);
break;
case NFTNL_OBJ_LIMIT_BURST:
- memcpy(&limit->burst, data, sizeof(limit->burst));
+ memcpy(&limit->burst, data, data_len);
break;
case NFTNL_OBJ_LIMIT_TYPE:
- memcpy(&limit->type, data, sizeof(limit->type));
+ memcpy(&limit->type, data, data_len);
break;
case NFTNL_OBJ_LIMIT_FLAGS:
- memcpy(&limit->flags, data, sizeof(limit->flags));
+ memcpy(&limit->flags, data, data_len);
break;
}
return 0;
diff --git a/src/obj/quota.c b/src/obj/quota.c
index b48ba91..526db8e 100644
--- a/src/obj/quota.c
+++ b/src/obj/quota.c
@@ -28,13 +28,13 @@ static int nftnl_obj_quota_set(struct nftnl_obj *e, uint16_t type,
switch (type) {
case NFTNL_OBJ_QUOTA_BYTES:
- memcpy(&quota->bytes, data, sizeof(quota->bytes));
+ memcpy(&quota->bytes, data, data_len);
break;
case NFTNL_OBJ_QUOTA_CONSUMED:
- memcpy(&quota->consumed, data, sizeof(quota->consumed));
+ memcpy(&quota->consumed, data, data_len);
break;
case NFTNL_OBJ_QUOTA_FLAGS:
- memcpy(&quota->flags, data, sizeof(quota->flags));
+ memcpy(&quota->flags, data, data_len);
break;
}
return 0;
diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c
index 07b3b2a..0309410 100644
--- a/src/obj/tunnel.c
+++ b/src/obj/tunnel.c
@@ -29,52 +29,52 @@ nftnl_obj_tunnel_set(struct nftnl_obj *e, uint16_t type,
switch (type) {
case NFTNL_OBJ_TUNNEL_ID:
- memcpy(&tun->id, data, sizeof(tun->id));
+ memcpy(&tun->id, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_IPV4_SRC:
- memcpy(&tun->src_v4, data, sizeof(tun->src_v4));
+ memcpy(&tun->src_v4, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_IPV4_DST:
- memcpy(&tun->dst_v4, data, sizeof(tun->dst_v4));
+ memcpy(&tun->dst_v4, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_IPV6_SRC:
- memcpy(&tun->src_v6, data, sizeof(struct in6_addr));
+ memcpy(&tun->src_v6, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_IPV6_DST:
- memcpy(&tun->dst_v6, data, sizeof(struct in6_addr));
+ memcpy(&tun->dst_v6, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL:
- memcpy(&tun->flowlabel, data, sizeof(tun->flowlabel));
+ memcpy(&tun->flowlabel, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_SPORT:
- memcpy(&tun->sport, data, sizeof(tun->sport));
+ memcpy(&tun->sport, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_DPORT:
- memcpy(&tun->dport, data, sizeof(tun->dport));
+ memcpy(&tun->dport, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_FLAGS:
- memcpy(&tun->tun_flags, data, sizeof(tun->tun_flags));
+ memcpy(&tun->tun_flags, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_TOS:
- memcpy(&tun->tun_tos, data, sizeof(tun->tun_tos));
+ memcpy(&tun->tun_tos, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_TTL:
- memcpy(&tun->tun_ttl, data, sizeof(tun->tun_ttl));
+ memcpy(&tun->tun_ttl, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_VXLAN_GBP:
- memcpy(&tun->u.tun_vxlan.gbp, data, sizeof(tun->u.tun_vxlan.gbp));
+ memcpy(&tun->u.tun_vxlan.gbp, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_ERSPAN_VERSION:
- memcpy(&tun->u.tun_erspan.version, data, sizeof(tun->u.tun_erspan.version));
+ memcpy(&tun->u.tun_erspan.version, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX:
- memcpy(&tun->u.tun_erspan.u.v1_index, data, sizeof(tun->u.tun_erspan.u.v1_index));
+ memcpy(&tun->u.tun_erspan.u.v1_index, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID:
- memcpy(&tun->u.tun_erspan.u.v2.hwid, data, sizeof(tun->u.tun_erspan.u.v2.hwid));
+ memcpy(&tun->u.tun_erspan.u.v2.hwid, data, data_len);
break;
case NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR:
- memcpy(&tun->u.tun_erspan.u.v2.dir, data, sizeof(tun->u.tun_erspan.u.v2.dir));
+ memcpy(&tun->u.tun_erspan.u.v2.dir, data, data_len);
break;
}
return 0;

968
SOURCES/0029-expr-Respect-data_len-when-setting-attributes.patch Normal file
View File

@ -0,0 +1,968 @@
From e1a4cfec3462db1a91788f74d4d083c4c4b63788 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:39:41 +0200
Subject: [PATCH] expr: Respect data_len when setting attributes
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit be0bae0ad31b0adb506f96de083f52a2bd0d4fbf
commit be0bae0ad31b0adb506f96de083f52a2bd0d4fbf
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 7 14:49:08 2024 +0100
expr: Respect data_len when setting attributes
With attr_policy in place, data_len has an upper boundary but it may be
lower than the attribute's storage area in which case memcpy() would
read garbage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/expr/bitwise.c | 8 ++++----
src/expr/byteorder.c | 10 +++++-----
src/expr/cmp.c | 4 ++--
src/expr/connlimit.c | 4 ++--
src/expr/counter.c | 4 ++--
src/expr/ct.c | 8 ++++----
src/expr/dup.c | 4 ++--
src/expr/dynset.c | 12 ++++++------
src/expr/exthdr.c | 14 +++++++-------
src/expr/fib.c | 6 +++---
src/expr/fwd.c | 6 +++---
src/expr/hash.c | 14 +++++++-------
src/expr/immediate.c | 6 +++---
src/expr/inner.c | 6 +++---
src/expr/last.c | 4 ++--
src/expr/limit.c | 10 +++++-----
src/expr/log.c | 10 +++++-----
src/expr/lookup.c | 8 ++++----
src/expr/masq.c | 6 +++---
src/expr/match.c | 2 +-
src/expr/meta.c | 6 +++---
src/expr/nat.c | 14 +++++++-------
src/expr/numgen.c | 8 ++++----
src/expr/objref.c | 6 +++---
src/expr/osf.c | 6 +++---
src/expr/payload.c | 16 ++++++++--------
src/expr/queue.c | 8 ++++----
src/expr/quota.c | 6 +++---
src/expr/range.c | 4 ++--
src/expr/redir.c | 6 +++---
src/expr/reject.c | 4 ++--
src/expr/rt.c | 4 ++--
src/expr/socket.c | 6 +++---
src/expr/synproxy.c | 6 +++---
src/expr/target.c | 2 +-
src/expr/tproxy.c | 6 +++---
src/expr/tunnel.c | 4 ++--
src/expr/xfrm.c | 8 ++++----
38 files changed, 133 insertions(+), 133 deletions(-)
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index dab1690..e99131a 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -39,16 +39,16 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_BITWISE_SREG:
- memcpy(&bitwise->sreg, data, sizeof(bitwise->sreg));
+ memcpy(&bitwise->sreg, data, data_len);
break;
case NFTNL_EXPR_BITWISE_DREG:
- memcpy(&bitwise->dreg, data, sizeof(bitwise->dreg));
+ memcpy(&bitwise->dreg, data, data_len);
break;
case NFTNL_EXPR_BITWISE_OP:
- memcpy(&bitwise->op, data, sizeof(bitwise->op));
+ memcpy(&bitwise->op, data, data_len);
break;
case NFTNL_EXPR_BITWISE_LEN:
- memcpy(&bitwise->len, data, sizeof(bitwise->len));
+ memcpy(&bitwise->len, data, data_len);
break;
case NFTNL_EXPR_BITWISE_MASK:
return nftnl_data_cpy(&bitwise->mask, data, data_len);
diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c
index d4e85a8..383e80d 100644
--- a/src/expr/byteorder.c
+++ b/src/expr/byteorder.c
@@ -37,19 +37,19 @@ nftnl_expr_byteorder_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_BYTEORDER_SREG:
- memcpy(&byteorder->sreg, data, sizeof(byteorder->sreg));
+ memcpy(&byteorder->sreg, data, data_len);
break;
case NFTNL_EXPR_BYTEORDER_DREG:
- memcpy(&byteorder->dreg, data, sizeof(byteorder->dreg));
+ memcpy(&byteorder->dreg, data, data_len);
break;
case NFTNL_EXPR_BYTEORDER_OP:
- memcpy(&byteorder->op, data, sizeof(byteorder->op));
+ memcpy(&byteorder->op, data, data_len);
break;
case NFTNL_EXPR_BYTEORDER_LEN:
- memcpy(&byteorder->len, data, sizeof(byteorder->len));
+ memcpy(&byteorder->len, data, data_len);
break;
case NFTNL_EXPR_BYTEORDER_SIZE:
- memcpy(&byteorder->size, data, sizeof(byteorder->size));
+ memcpy(&byteorder->size, data, data_len);
break;
}
return 0;
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index 2937d7e..d1f0f64 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -36,10 +36,10 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_CMP_SREG:
- memcpy(&cmp->sreg, data, sizeof(cmp->sreg));
+ memcpy(&cmp->sreg, data, data_len);
break;
case NFTNL_EXPR_CMP_OP:
- memcpy(&cmp->op, data, sizeof(cmp->op));
+ memcpy(&cmp->op, data, data_len);
break;
case NFTNL_EXPR_CMP_DATA:
return nftnl_data_cpy(&cmp->data, data, data_len);
diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c
index 1c78c71..fcac8bf 100644
--- a/src/expr/connlimit.c
+++ b/src/expr/connlimit.c
@@ -33,10 +33,10 @@ nftnl_expr_connlimit_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_CONNLIMIT_COUNT:
- memcpy(&connlimit->count, data, sizeof(connlimit->count));
+ memcpy(&connlimit->count, data, data_len);
break;
case NFTNL_EXPR_CONNLIMIT_FLAGS:
- memcpy(&connlimit->flags, data, sizeof(connlimit->flags));
+ memcpy(&connlimit->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/counter.c b/src/expr/counter.c
index 2c6f2a7..cef9119 100644
--- a/src/expr/counter.c
+++ b/src/expr/counter.c
@@ -35,10 +35,10 @@ nftnl_expr_counter_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_CTR_BYTES:
- memcpy(&ctr->bytes, data, sizeof(ctr->bytes));
+ memcpy(&ctr->bytes, data, data_len);
break;
case NFTNL_EXPR_CTR_PACKETS:
- memcpy(&ctr->pkts, data, sizeof(ctr->pkts));
+ memcpy(&ctr->pkts, data, data_len);
break;
}
return 0;
diff --git a/src/expr/ct.c b/src/expr/ct.c
index f7dd40d..bea0522 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -39,16 +39,16 @@ nftnl_expr_ct_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_CT_KEY:
- memcpy(&ct->key, data, sizeof(ct->key));
+ memcpy(&ct->key, data, data_len);
break;
case NFTNL_EXPR_CT_DIR:
- memcpy(&ct->dir, data, sizeof(ct->dir));
+ memcpy(&ct->dir, data, data_len);
break;
case NFTNL_EXPR_CT_DREG:
- memcpy(&ct->dreg, data, sizeof(ct->dreg));
+ memcpy(&ct->dreg, data, data_len);
break;
case NFTNL_EXPR_CT_SREG:
- memcpy(&ct->sreg, data, sizeof(ct->sreg));
+ memcpy(&ct->sreg, data, data_len);
break;
}
return 0;
diff --git a/src/expr/dup.c b/src/expr/dup.c
index 6a5e4ca..28d686b 100644
--- a/src/expr/dup.c
+++ b/src/expr/dup.c
@@ -32,10 +32,10 @@ static int nftnl_expr_dup_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_DUP_SREG_ADDR:
- memcpy(&dup->sreg_addr, data, sizeof(dup->sreg_addr));
+ memcpy(&dup->sreg_addr, data, data_len);
break;
case NFTNL_EXPR_DUP_SREG_DEV:
- memcpy(&dup->sreg_dev, data, sizeof(dup->sreg_dev));
+ memcpy(&dup->sreg_dev, data, data_len);
break;
}
return 0;
diff --git a/src/expr/dynset.c b/src/expr/dynset.c
index c1f79b5..8a159f8 100644
--- a/src/expr/dynset.c
+++ b/src/expr/dynset.c
@@ -41,16 +41,16 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_DYNSET_SREG_KEY:
- memcpy(&dynset->sreg_key, data, sizeof(dynset->sreg_key));
+ memcpy(&dynset->sreg_key, data, data_len);
break;
case NFTNL_EXPR_DYNSET_SREG_DATA:
- memcpy(&dynset->sreg_data, data, sizeof(dynset->sreg_data));
+ memcpy(&dynset->sreg_data, data, data_len);
break;
case NFTNL_EXPR_DYNSET_OP:
- memcpy(&dynset->op, data, sizeof(dynset->op));
+ memcpy(&dynset->op, data, data_len);
break;
case NFTNL_EXPR_DYNSET_TIMEOUT:
- memcpy(&dynset->timeout, data, sizeof(dynset->timeout));
+ memcpy(&dynset->timeout, data, data_len);
break;
case NFTNL_EXPR_DYNSET_SET_NAME:
dynset->set_name = strdup((const char *)data);
@@ -58,7 +58,7 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type,
return -1;
break;
case NFTNL_EXPR_DYNSET_SET_ID:
- memcpy(&dynset->set_id, data, sizeof(dynset->set_id));
+ memcpy(&dynset->set_id, data, data_len);
break;
case NFTNL_EXPR_DYNSET_EXPR:
list_for_each_entry_safe(expr, next, &dynset->expr_list, head)
@@ -68,7 +68,7 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type,
list_add(&expr->head, &dynset->expr_list);
break;
case NFTNL_EXPR_DYNSET_FLAGS:
- memcpy(&dynset->dynset_flags, data, sizeof(dynset->dynset_flags));
+ memcpy(&dynset->dynset_flags, data, data_len);
break;
default:
return -1;
diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index 93b7521..453902c 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -46,25 +46,25 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_EXTHDR_DREG:
- memcpy(&exthdr->dreg, data, sizeof(exthdr->dreg));
+ memcpy(&exthdr->dreg, data, data_len);
break;
case NFTNL_EXPR_EXTHDR_TYPE:
- memcpy(&exthdr->type, data, sizeof(exthdr->type));
+ memcpy(&exthdr->type, data, data_len);
break;
case NFTNL_EXPR_EXTHDR_OFFSET:
- memcpy(&exthdr->offset, data, sizeof(exthdr->offset));
+ memcpy(&exthdr->offset, data, data_len);
break;
case NFTNL_EXPR_EXTHDR_LEN:
- memcpy(&exthdr->len, data, sizeof(exthdr->len));
+ memcpy(&exthdr->len, data, data_len);
break;
case NFTNL_EXPR_EXTHDR_OP:
- memcpy(&exthdr->op, data, sizeof(exthdr->op));
+ memcpy(&exthdr->op, data, data_len);
break;
case NFTNL_EXPR_EXTHDR_FLAGS:
- memcpy(&exthdr->flags, data, sizeof(exthdr->flags));
+ memcpy(&exthdr->flags, data, data_len);
break;
case NFTNL_EXPR_EXTHDR_SREG:
- memcpy(&exthdr->sreg, data, sizeof(exthdr->sreg));
+ memcpy(&exthdr->sreg, data, data_len);
break;
}
return 0;
diff --git a/src/expr/fib.c b/src/expr/fib.c
index 5f7bef4..20bc125 100644
--- a/src/expr/fib.c
+++ b/src/expr/fib.c
@@ -35,13 +35,13 @@ nftnl_expr_fib_set(struct nftnl_expr *e, uint16_t result,
switch (result) {
case NFTNL_EXPR_FIB_RESULT:
- memcpy(&fib->result, data, sizeof(fib->result));
+ memcpy(&fib->result, data, data_len);
break;
case NFTNL_EXPR_FIB_DREG:
- memcpy(&fib->dreg, data, sizeof(fib->dreg));
+ memcpy(&fib->dreg, data, data_len);
break;
case NFTNL_EXPR_FIB_FLAGS:
- memcpy(&fib->flags, data, sizeof(fib->flags));
+ memcpy(&fib->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/fwd.c b/src/expr/fwd.c
index 566d6f4..04cb089 100644
--- a/src/expr/fwd.c
+++ b/src/expr/fwd.c
@@ -33,13 +33,13 @@ static int nftnl_expr_fwd_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_FWD_SREG_DEV:
- memcpy(&fwd->sreg_dev, data, sizeof(fwd->sreg_dev));
+ memcpy(&fwd->sreg_dev, data, data_len);
break;
case NFTNL_EXPR_FWD_SREG_ADDR:
- memcpy(&fwd->sreg_addr, data, sizeof(fwd->sreg_addr));
+ memcpy(&fwd->sreg_addr, data, data_len);
break;
case NFTNL_EXPR_FWD_NFPROTO:
- memcpy(&fwd->nfproto, data, sizeof(fwd->nfproto));
+ memcpy(&fwd->nfproto, data, data_len);
break;
}
return 0;
diff --git a/src/expr/hash.c b/src/expr/hash.c
index 4cd9006..eb44b2e 100644
--- a/src/expr/hash.c
+++ b/src/expr/hash.c
@@ -37,25 +37,25 @@ nftnl_expr_hash_set(struct nftnl_expr *e, uint16_t type,
struct nftnl_expr_hash *hash = nftnl_expr_data(e);
switch (type) {
case NFTNL_EXPR_HASH_SREG:
- memcpy(&hash->sreg, data, sizeof(hash->sreg));
+ memcpy(&hash->sreg, data, data_len);
break;
case NFTNL_EXPR_HASH_DREG:
- memcpy(&hash->dreg, data, sizeof(hash->dreg));
+ memcpy(&hash->dreg, data, data_len);
break;
case NFTNL_EXPR_HASH_LEN:
- memcpy(&hash->len, data, sizeof(hash->len));
+ memcpy(&hash->len, data, data_len);
break;
case NFTNL_EXPR_HASH_MODULUS:
- memcpy(&hash->modulus, data, sizeof(hash->modulus));
+ memcpy(&hash->modulus, data, data_len);
break;
case NFTNL_EXPR_HASH_SEED:
- memcpy(&hash->seed, data, sizeof(hash->seed));
+ memcpy(&hash->seed, data, data_len);
break;
case NFTNL_EXPR_HASH_OFFSET:
- memcpy(&hash->offset, data, sizeof(hash->offset));
+ memcpy(&hash->offset, data, data_len);
break;
case NFTNL_EXPR_HASH_TYPE:
- memcpy(&hash->type, data, sizeof(hash->type));
+ memcpy(&hash->type, data, data_len);
break;
default:
return -1;
diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index 8645ab3..b2400e7 100644
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -33,12 +33,12 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_IMM_DREG:
- memcpy(&imm->dreg, data, sizeof(imm->dreg));
+ memcpy(&imm->dreg, data, data_len);
break;
case NFTNL_EXPR_IMM_DATA:
return nftnl_data_cpy(&imm->data, data, data_len);
case NFTNL_EXPR_IMM_VERDICT:
- memcpy(&imm->data.verdict, data, sizeof(imm->data.verdict));
+ memcpy(&imm->data.verdict, data, data_len);
break;
case NFTNL_EXPR_IMM_CHAIN:
if (e->flags & (1 << NFTNL_EXPR_IMM_CHAIN))
@@ -49,7 +49,7 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type,
return -1;
break;
case NFTNL_EXPR_IMM_CHAIN_ID:
- memcpy(&imm->data.chain_id, data, sizeof(uint32_t));
+ memcpy(&imm->data.chain_id, data, data_len);
break;
}
return 0;
diff --git a/src/expr/inner.c b/src/expr/inner.c
index 45ef4fb..4f66e94 100644
--- a/src/expr/inner.c
+++ b/src/expr/inner.c
@@ -45,13 +45,13 @@ nftnl_expr_inner_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_INNER_TYPE:
- memcpy(&inner->type, data, sizeof(inner->type));
+ memcpy(&inner->type, data, data_len);
break;
case NFTNL_EXPR_INNER_FLAGS:
- memcpy(&inner->flags, data, sizeof(inner->flags));
+ memcpy(&inner->flags, data, data_len);
break;
case NFTNL_EXPR_INNER_HDRSIZE:
- memcpy(&inner->hdrsize, data, sizeof(inner->hdrsize));
+ memcpy(&inner->hdrsize, data, data_len);
break;
case NFTNL_EXPR_INNER_EXPR:
if (inner->expr)
diff --git a/src/expr/last.c b/src/expr/last.c
index 074f463..8e5b88e 100644
--- a/src/expr/last.c
+++ b/src/expr/last.c
@@ -32,10 +32,10 @@ static int nftnl_expr_last_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_LAST_MSECS:
- memcpy(&last->msecs, data, sizeof(last->msecs));
+ memcpy(&last->msecs, data, data_len);
break;
case NFTNL_EXPR_LAST_SET:
- memcpy(&last->set, data, sizeof(last->set));
+ memcpy(&last->set, data, data_len);
break;
}
return 0;
diff --git a/src/expr/limit.c b/src/expr/limit.c
index 935d449..9d02592 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -38,19 +38,19 @@ nftnl_expr_limit_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_LIMIT_RATE:
- memcpy(&limit->rate, data, sizeof(limit->rate));
+ memcpy(&limit->rate, data, data_len);
break;
case NFTNL_EXPR_LIMIT_UNIT:
- memcpy(&limit->unit, data, sizeof(limit->unit));
+ memcpy(&limit->unit, data, data_len);
break;
case NFTNL_EXPR_LIMIT_BURST:
- memcpy(&limit->burst, data, sizeof(limit->burst));
+ memcpy(&limit->burst, data, data_len);
break;
case NFTNL_EXPR_LIMIT_TYPE:
- memcpy(&limit->type, data, sizeof(limit->type));
+ memcpy(&limit->type, data, data_len);
break;
case NFTNL_EXPR_LIMIT_FLAGS:
- memcpy(&limit->flags, data, sizeof(limit->flags));
+ memcpy(&limit->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/log.c b/src/expr/log.c
index d6d6910..18ec2b6 100644
--- a/src/expr/log.c
+++ b/src/expr/log.c
@@ -46,19 +46,19 @@ static int nftnl_expr_log_set(struct nftnl_expr *e, uint16_t type,
return -1;
break;
case NFTNL_EXPR_LOG_GROUP:
- memcpy(&log->group, data, sizeof(log->group));
+ memcpy(&log->group, data, data_len);
break;
case NFTNL_EXPR_LOG_SNAPLEN:
- memcpy(&log->snaplen, data, sizeof(log->snaplen));
+ memcpy(&log->snaplen, data, data_len);
break;
case NFTNL_EXPR_LOG_QTHRESHOLD:
- memcpy(&log->qthreshold, data, sizeof(log->qthreshold));
+ memcpy(&log->qthreshold, data, data_len);
break;
case NFTNL_EXPR_LOG_LEVEL:
- memcpy(&log->level, data, sizeof(log->level));
+ memcpy(&log->level, data, data_len);
break;
case NFTNL_EXPR_LOG_FLAGS:
- memcpy(&log->flags, data, sizeof(log->flags));
+ memcpy(&log->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index be04528..21a7fce 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup.c
@@ -37,10 +37,10 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_LOOKUP_SREG:
- memcpy(&lookup->sreg, data, sizeof(lookup->sreg));
+ memcpy(&lookup->sreg, data, data_len);
break;
case NFTNL_EXPR_LOOKUP_DREG:
- memcpy(&lookup->dreg, data, sizeof(lookup->dreg));
+ memcpy(&lookup->dreg, data, data_len);
break;
case NFTNL_EXPR_LOOKUP_SET:
lookup->set_name = strdup((const char *)data);
@@ -48,10 +48,10 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type,
return -1;
break;
case NFTNL_EXPR_LOOKUP_SET_ID:
- memcpy(&lookup->set_id, data, sizeof(lookup->set_id));
+ memcpy(&lookup->set_id, data, data_len);
break;
case NFTNL_EXPR_LOOKUP_FLAGS:
- memcpy(&lookup->flags, data, sizeof(lookup->flags));
+ memcpy(&lookup->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/masq.c b/src/expr/masq.c
index 4be5a9c..e0565db 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -34,13 +34,13 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_MASQ_FLAGS:
- memcpy(&masq->flags, data, sizeof(masq->flags));
+ memcpy(&masq->flags, data, data_len);
break;
case NFTNL_EXPR_MASQ_REG_PROTO_MIN:
- memcpy(&masq->sreg_proto_min, data, sizeof(masq->sreg_proto_min));
+ memcpy(&masq->sreg_proto_min, data, data_len);
break;
case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
- memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max));
+ memcpy(&masq->sreg_proto_max, data, data_len);
break;
}
return 0;
diff --git a/src/expr/match.c b/src/expr/match.c
index 68288dc..8c1bc74 100644
--- a/src/expr/match.c
+++ b/src/expr/match.c
@@ -46,7 +46,7 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type,
(const char *)data);
break;
case NFTNL_EXPR_MT_REV:
- memcpy(&mt->rev, data, sizeof(mt->rev));
+ memcpy(&mt->rev, data, data_len);
break;
case NFTNL_EXPR_MT_INFO:
if (e->flags & (1 << NFTNL_EXPR_MT_INFO))
diff --git a/src/expr/meta.c b/src/expr/meta.c
index cd49c34..136a450 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -39,13 +39,13 @@ nftnl_expr_meta_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_META_KEY:
- memcpy(&meta->key, data, sizeof(meta->key));
+ memcpy(&meta->key, data, data_len);
break;
case NFTNL_EXPR_META_DREG:
- memcpy(&meta->dreg, data, sizeof(meta->dreg));
+ memcpy(&meta->dreg, data, data_len);
break;
case NFTNL_EXPR_META_SREG:
- memcpy(&meta->sreg, data, sizeof(meta->sreg));
+ memcpy(&meta->sreg, data, data_len);
break;
}
return 0;
diff --git a/src/expr/nat.c b/src/expr/nat.c
index f3f8644..1235ba4 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -42,25 +42,25 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_NAT_TYPE:
- memcpy(&nat->type, data, sizeof(nat->type));
+ memcpy(&nat->type, data, data_len);
break;
case NFTNL_EXPR_NAT_FAMILY:
- memcpy(&nat->family, data, sizeof(nat->family));
+ memcpy(&nat->family, data, data_len);
break;
case NFTNL_EXPR_NAT_REG_ADDR_MIN:
- memcpy(&nat->sreg_addr_min, data, sizeof(nat->sreg_addr_min));
+ memcpy(&nat->sreg_addr_min, data, data_len);
break;
case NFTNL_EXPR_NAT_REG_ADDR_MAX:
- memcpy(&nat->sreg_addr_max, data, sizeof(nat->sreg_addr_max));
+ memcpy(&nat->sreg_addr_max, data, data_len);
break;
case NFTNL_EXPR_NAT_REG_PROTO_MIN:
- memcpy(&nat->sreg_proto_min, data, sizeof(nat->sreg_proto_min));
+ memcpy(&nat->sreg_proto_min, data, data_len);
break;
case NFTNL_EXPR_NAT_REG_PROTO_MAX:
- memcpy(&nat->sreg_proto_max, data, sizeof(nat->sreg_proto_max));
+ memcpy(&nat->sreg_proto_max, data, data_len);
break;
case NFTNL_EXPR_NAT_FLAGS:
- memcpy(&nat->flags, data, sizeof(nat->flags));
+ memcpy(&nat->flags, data, data_len);
break;
}
diff --git a/src/expr/numgen.c b/src/expr/numgen.c
index c5e8772..c015b88 100644
--- a/src/expr/numgen.c
+++ b/src/expr/numgen.c
@@ -35,16 +35,16 @@ nftnl_expr_ng_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_NG_DREG:
- memcpy(&ng->dreg, data, sizeof(ng->dreg));
+ memcpy(&ng->dreg, data, data_len);
break;
case NFTNL_EXPR_NG_MODULUS:
- memcpy(&ng->modulus, data, sizeof(ng->modulus));
+ memcpy(&ng->modulus, data, data_len);
break;
case NFTNL_EXPR_NG_TYPE:
- memcpy(&ng->type, data, sizeof(ng->type));
+ memcpy(&ng->type, data, data_len);
break;
case NFTNL_EXPR_NG_OFFSET:
- memcpy(&ng->offset, data, sizeof(ng->offset));
+ memcpy(&ng->offset, data, data_len);
break;
default:
return -1;
diff --git a/src/expr/objref.c b/src/expr/objref.c
index 59e1ddd..0053805 100644
--- a/src/expr/objref.c
+++ b/src/expr/objref.c
@@ -39,7 +39,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_OBJREF_IMM_TYPE:
- memcpy(&objref->imm.type, data, sizeof(objref->imm.type));
+ memcpy(&objref->imm.type, data, data_len);
break;
case NFTNL_EXPR_OBJREF_IMM_NAME:
objref->imm.name = strdup(data);
@@ -47,7 +47,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type,
return -1;
break;
case NFTNL_EXPR_OBJREF_SET_SREG:
- memcpy(&objref->set.sreg, data, sizeof(objref->set.sreg));
+ memcpy(&objref->set.sreg, data, data_len);
break;
case NFTNL_EXPR_OBJREF_SET_NAME:
objref->set.name = strdup(data);
@@ -55,7 +55,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type,
return -1;
break;
case NFTNL_EXPR_OBJREF_SET_ID:
- memcpy(&objref->set.id, data, sizeof(objref->set.id));
+ memcpy(&objref->set.id, data, data_len);
break;
}
return 0;
diff --git a/src/expr/osf.c b/src/expr/osf.c
index 1e4ceb0..060394b 100644
--- a/src/expr/osf.c
+++ b/src/expr/osf.c
@@ -25,13 +25,13 @@ static int nftnl_expr_osf_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_OSF_DREG:
- memcpy(&osf->dreg, data, sizeof(osf->dreg));
+ memcpy(&osf->dreg, data, data_len);
break;
case NFTNL_EXPR_OSF_TTL:
- memcpy(&osf->ttl, data, sizeof(osf->ttl));
+ memcpy(&osf->ttl, data, data_len);
break;
case NFTNL_EXPR_OSF_FLAGS:
- memcpy(&osf->flags, data, sizeof(osf->flags));
+ memcpy(&osf->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/payload.c b/src/expr/payload.c
index 76d38f7..35cd10c 100644
--- a/src/expr/payload.c
+++ b/src/expr/payload.c
@@ -43,28 +43,28 @@ nftnl_expr_payload_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_PAYLOAD_SREG:
- memcpy(&payload->sreg, data, sizeof(payload->sreg));
+ memcpy(&payload->sreg, data, data_len);
break;
case NFTNL_EXPR_PAYLOAD_DREG:
- memcpy(&payload->dreg, data, sizeof(payload->dreg));
+ memcpy(&payload->dreg, data, data_len);
break;
case NFTNL_EXPR_PAYLOAD_BASE:
- memcpy(&payload->base, data, sizeof(payload->base));
+ memcpy(&payload->base, data, data_len);
break;
case NFTNL_EXPR_PAYLOAD_OFFSET:
- memcpy(&payload->offset, data, sizeof(payload->offset));
+ memcpy(&payload->offset, data, data_len);
break;
case NFTNL_EXPR_PAYLOAD_LEN:
- memcpy(&payload->len, data, sizeof(payload->len));
+ memcpy(&payload->len, data, data_len);
break;
case NFTNL_EXPR_PAYLOAD_CSUM_TYPE:
- memcpy(&payload->csum_type, data, sizeof(payload->csum_type));
+ memcpy(&payload->csum_type, data, data_len);
break;
case NFTNL_EXPR_PAYLOAD_CSUM_OFFSET:
- memcpy(&payload->csum_offset, data, sizeof(payload->csum_offset));
+ memcpy(&payload->csum_offset, data, data_len);
break;
case NFTNL_EXPR_PAYLOAD_FLAGS:
- memcpy(&payload->csum_flags, data, sizeof(payload->csum_flags));
+ memcpy(&payload->csum_flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/queue.c b/src/expr/queue.c
index 54792ef..09220c4 100644
--- a/src/expr/queue.c
+++ b/src/expr/queue.c
@@ -34,16 +34,16 @@ static int nftnl_expr_queue_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_QUEUE_NUM:
- memcpy(&queue->queuenum, data, sizeof(queue->queuenum));
+ memcpy(&queue->queuenum, data, data_len);
break;
case NFTNL_EXPR_QUEUE_TOTAL:
- memcpy(&queue->queues_total, data, sizeof(queue->queues_total));
+ memcpy(&queue->queues_total, data, data_len);
break;
case NFTNL_EXPR_QUEUE_FLAGS:
- memcpy(&queue->flags, data, sizeof(queue->flags));
+ memcpy(&queue->flags, data, data_len);
break;
case NFTNL_EXPR_QUEUE_SREG_QNUM:
- memcpy(&queue->sreg_qnum, data, sizeof(queue->sreg_qnum));
+ memcpy(&queue->sreg_qnum, data, data_len);
break;
}
return 0;
diff --git a/src/expr/quota.c b/src/expr/quota.c
index 60631fe..ddf232f 100644
--- a/src/expr/quota.c
+++ b/src/expr/quota.c
@@ -33,13 +33,13 @@ static int nftnl_expr_quota_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_QUOTA_BYTES:
- memcpy(&quota->bytes, data, sizeof(quota->bytes));
+ memcpy(&quota->bytes, data, data_len);
break;
case NFTNL_EXPR_QUOTA_CONSUMED:
- memcpy(&quota->consumed, data, sizeof(quota->consumed));
+ memcpy(&quota->consumed, data, data_len);
break;
case NFTNL_EXPR_QUOTA_FLAGS:
- memcpy(&quota->flags, data, sizeof(quota->flags));
+ memcpy(&quota->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/range.c b/src/expr/range.c
index 6310b79..96bb140 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -34,10 +34,10 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_RANGE_SREG:
- memcpy(&range->sreg, data, sizeof(range->sreg));
+ memcpy(&range->sreg, data, data_len);
break;
case NFTNL_EXPR_RANGE_OP:
- memcpy(&range->op, data, sizeof(range->op));
+ memcpy(&range->op, data, data_len);
break;
case NFTNL_EXPR_RANGE_FROM_DATA:
return nftnl_data_cpy(&range->data_from, data, data_len);
diff --git a/src/expr/redir.c b/src/expr/redir.c
index 69095bd..9971306 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
@@ -34,13 +34,13 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_REDIR_REG_PROTO_MIN:
- memcpy(&redir->sreg_proto_min, data, sizeof(redir->sreg_proto_min));
+ memcpy(&redir->sreg_proto_min, data, data_len);
break;
case NFTNL_EXPR_REDIR_REG_PROTO_MAX:
- memcpy(&redir->sreg_proto_max, data, sizeof(redir->sreg_proto_max));
+ memcpy(&redir->sreg_proto_max, data, data_len);
break;
case NFTNL_EXPR_REDIR_FLAGS:
- memcpy(&redir->flags, data, sizeof(redir->flags));
+ memcpy(&redir->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/reject.c b/src/expr/reject.c
index f97011a..9090db3 100644
--- a/src/expr/reject.c
+++ b/src/expr/reject.c
@@ -33,10 +33,10 @@ static int nftnl_expr_reject_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_REJECT_TYPE:
- memcpy(&reject->type, data, sizeof(reject->type));
+ memcpy(&reject->type, data, data_len);
break;
case NFTNL_EXPR_REJECT_CODE:
- memcpy(&reject->icmp_code, data, sizeof(reject->icmp_code));
+ memcpy(&reject->icmp_code, data, data_len);
break;
}
return 0;
diff --git a/src/expr/rt.c b/src/expr/rt.c
index 0ab2556..ff4fd03 100644
--- a/src/expr/rt.c
+++ b/src/expr/rt.c
@@ -32,10 +32,10 @@ nftnl_expr_rt_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_RT_KEY:
- memcpy(&rt->key, data, sizeof(rt->key));
+ memcpy(&rt->key, data, data_len);
break;
case NFTNL_EXPR_RT_DREG:
- memcpy(&rt->dreg, data, sizeof(rt->dreg));
+ memcpy(&rt->dreg, data, data_len);
break;
}
return 0;
diff --git a/src/expr/socket.c b/src/expr/socket.c
index d0d8e23..7a25cdf 100644
--- a/src/expr/socket.c
+++ b/src/expr/socket.c
@@ -33,13 +33,13 @@ nftnl_expr_socket_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_SOCKET_KEY:
- memcpy(&socket->key, data, sizeof(socket->key));
+ memcpy(&socket->key, data, data_len);
break;
case NFTNL_EXPR_SOCKET_DREG:
- memcpy(&socket->dreg, data, sizeof(socket->dreg));
+ memcpy(&socket->dreg, data, data_len);
break;
case NFTNL_EXPR_SOCKET_LEVEL:
- memcpy(&socket->level, data, sizeof(socket->level));
+ memcpy(&socket->level, data, data_len);
break;
}
return 0;
diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c
index 898d292..97c321b 100644
--- a/src/expr/synproxy.c
+++ b/src/expr/synproxy.c
@@ -23,13 +23,13 @@ static int nftnl_expr_synproxy_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_SYNPROXY_MSS:
- memcpy(&synproxy->mss, data, sizeof(synproxy->mss));
+ memcpy(&synproxy->mss, data, data_len);
break;
case NFTNL_EXPR_SYNPROXY_WSCALE:
- memcpy(&synproxy->wscale, data, sizeof(synproxy->wscale));
+ memcpy(&synproxy->wscale, data, data_len);
break;
case NFTNL_EXPR_SYNPROXY_FLAGS:
- memcpy(&synproxy->flags, data, sizeof(synproxy->flags));
+ memcpy(&synproxy->flags, data, data_len);
break;
}
return 0;
diff --git a/src/expr/target.c b/src/expr/target.c
index 9bfd25b..8259a20 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -46,7 +46,7 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type,
(const char *) data);
break;
case NFTNL_EXPR_TG_REV:
- memcpy(&tg->rev, data, sizeof(tg->rev));
+ memcpy(&tg->rev, data, data_len);
break;
case NFTNL_EXPR_TG_INFO:
if (e->flags & (1 << NFTNL_EXPR_TG_INFO))
diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c
index 4948392..9391ce8 100644
--- a/src/expr/tproxy.c
+++ b/src/expr/tproxy.c
@@ -34,13 +34,13 @@ nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_TPROXY_FAMILY:
- memcpy(&tproxy->family, data, sizeof(tproxy->family));
+ memcpy(&tproxy->family, data, data_len);
break;
case NFTNL_EXPR_TPROXY_REG_ADDR:
- memcpy(&tproxy->sreg_addr, data, sizeof(tproxy->sreg_addr));
+ memcpy(&tproxy->sreg_addr, data, data_len);
break;
case NFTNL_EXPR_TPROXY_REG_PORT:
- memcpy(&tproxy->sreg_port, data, sizeof(tproxy->sreg_port));
+ memcpy(&tproxy->sreg_port, data, data_len);
break;
}
diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c
index 8089d0b..861e56d 100644
--- a/src/expr/tunnel.c
+++ b/src/expr/tunnel.c
@@ -31,10 +31,10 @@ static int nftnl_expr_tunnel_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_TUNNEL_KEY:
- memcpy(&tunnel->key, data, sizeof(tunnel->key));
+ memcpy(&tunnel->key, data, data_len);
break;
case NFTNL_EXPR_TUNNEL_DREG:
- memcpy(&tunnel->dreg, data, sizeof(tunnel->dreg));
+ memcpy(&tunnel->dreg, data, data_len);
break;
}
return 0;
diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c
index dc867a2..2585579 100644
--- a/src/expr/xfrm.c
+++ b/src/expr/xfrm.c
@@ -33,16 +33,16 @@ nftnl_expr_xfrm_set(struct nftnl_expr *e, uint16_t type,
switch(type) {
case NFTNL_EXPR_XFRM_KEY:
- memcpy(&x->key, data, sizeof(x->key));
+ memcpy(&x->key, data, data_len);
break;
case NFTNL_EXPR_XFRM_DIR:
- memcpy(&x->dir, data, sizeof(x->dir));
+ memcpy(&x->dir, data, data_len);
break;
case NFTNL_EXPR_XFRM_SPNUM:
- memcpy(&x->spnum, data, sizeof(x->spnum));
+ memcpy(&x->spnum, data, data_len);
break;
case NFTNL_EXPR_XFRM_DREG:
- memcpy(&x->dreg, data, sizeof(x->dreg));
+ memcpy(&x->dreg, data, data_len);
break;
default:
return -1;

38
SOURCES/0030-tests-Fix-objref-test-case.patch Normal file
View File

@ -0,0 +1,38 @@
From 9b450d7911b124884ceab1bc2df789505702d19f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 May 2024 22:52:28 +0200
Subject: [PATCH] tests: Fix objref test case
JIRA: https://issues.redhat.com/browse/RHEL-28515
Upstream Status: libnftnl commit c2982f81e0d15fb3109112945c73b93a53e21348
commit c2982f81e0d15fb3109112945c73b93a53e21348
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Dec 15 16:10:49 2023 +0100
tests: Fix objref test case
Probably a c'n'p bug, the test would allocate a lookup expression
instead of the objref one to be tested.
Fixes: b4edb4fc558ac ("expr: add stateful object reference expression")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
tests/nft-expr_objref-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/nft-expr_objref-test.c b/tests/nft-expr_objref-test.c
index 08e27ce..9e698df 100644
--- a/tests/nft-expr_objref-test.c
+++ b/tests/nft-expr_objref-test.c
@@ -52,7 +52,7 @@ int main(int argc, char *argv[])
b = nftnl_rule_alloc();
if (a == NULL || b == NULL)
print_err("OOM");
- ex = nftnl_expr_alloc("lookup");
+ ex = nftnl_expr_alloc("objref");
if (ex == NULL)
print_err("OOM");

217
SPECS/libnftnl.spec
View File

@ -1,19 +1,50 @@
%define rpmversion 1.2.2 %define libnftnl_rpmversion 1.2.6
%define specrelease 3 %define libnftnl_specrelease 4
Name: libnftnl Name: libnftnl
Version: %{rpmversion} Version: %{libnftnl_rpmversion}
Release: %{specrelease}%{?dist} Release: %{libnftnl_specrelease}%{?dist}%{?buildid}
Summary: Library for low-level interaction with nftables Netlink's API over libmnl Summary: Library for low-level interaction with nftables Netlink's API over libmnl
License: GPLv2+ License: GPLv2+
URL: http://netfilter.org/projects/libnftnl/ URL: https://netfilter.org/projects/libnftnl/
Source0: http://ftp.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2 Source0: %{url}/files/%{name}-%{version}.tar.xz
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: libmnl-devel
Patch0001: 0001-libnftnl.map-Restore-custom-LIBNFTNL_RHEL_14-version.patch Patch1: 0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch
Patch2: 0002-expr-fix-buffer-overflows-in-data-value-setters.patch
Patch3: 0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch
Patch4: 0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch
Patch5: 0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch
Patch6: 0006-udata-incorrect-userdata-buffer-size-validation.patch
Patch7: 0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch
Patch8: 0008-expr-Call-expr_ops-set-with-legal-types-only.patch
Patch9: 0009-include-Sync-nf_log.h-with-kernel-headers.patch
Patch10: 0010-expr-Introduce-struct-expr_ops-attr_policy.patch
Patch11: 0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch
Patch12: 0012-chain-Validate-NFTNL_CHAIN_USE-too.patch
Patch13: 0013-table-Validate-NFTNL_TABLE_USE-too.patch
Patch14: 0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch
Patch15: 0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch
Patch16: 0016-set-Validate-NFTNL_SET_ID-too.patch
Patch17: 0017-table-Validate-NFTNL_TABLE_OWNER-too.patch
Patch18: 0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch
Patch19: 0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch
Patch20: 0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch
Patch21: 0021-object-getters-take-const-struct.patch
Patch22: 0022-obj-Return-value-on-setters.patch
Patch23: 0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch
Patch24: 0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch
Patch25: 0025-obj-Introduce-struct-obj_ops-attr_policy.patch
Patch26: 0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch
Patch27: 0027-utils-Introduce-and-use-nftnl_set_str_attr.patch
Patch28: 0028-obj-Respect-data_len-when-setting-attributes.patch
Patch29: 0029-expr-Respect-data_len-when-setting-attributes.patch
Patch30: 0030-tests-Fix-objref-test-case.patch
BuildRequires: libmnl-devel
BuildRequires: gcc
BuildRequires: make
#BuildRequires: autoconf
#BuildRequires: automake
%description %description
A library for low-level interaction with nftables Netlink's API over libmnl. A library for low-level interaction with nftables Netlink's API over libmnl.
@ -33,23 +64,19 @@ developing applications that use %{name}.
# This is what autogen.sh (only in git repo) does - without it, patches changing # This is what autogen.sh (only in git repo) does - without it, patches changing
# Makefile.am cause the build system to regenerate Makefile.in and trying to use # Makefile.am cause the build system to regenerate Makefile.in and trying to use
# automake-1.14 for that which is not available in RHEL. # automake-1.14 for that which is not available in RHEL.
autoreconf -fi #autoreconf -fi
rm -rf autom4te*.cache #rm -rf autom4te*.cache
%configure --disable-static --disable-silent-rules %configure --disable-static --disable-silent-rules
make %{?_smp_mflags} %make_build
%check %check
make %{?_smp_mflags} check %make_build check
%install %install
%make_install %make_install
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files %files
%doc COPYING %doc COPYING
%{_libdir}/*.so.* %{_libdir}/*.so.*
@ -60,78 +87,116 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%{_includedir}/libnftnl %{_includedir}/libnftnl
%changelog %changelog
* Wed Jun 28 2023 Phil Sutter <psutter@redhat.com> [1.2.2-3.el8] * Thu May 09 2024 Phil Sutter <psutter@redhat.com> [1.2.6-4.el9]
- Export nftnl_set_elem_nlmsg_build symbol in the right version - Bump release for side-tag build with fixed libmnl (Phil Sutter) [RHEL-28515]
* Wed Jun 28 2023 Phil Sutter <psutter@redhat.com> [1.2.2-2.el8] * Wed May 08 2024 Phil Sutter <psutter@redhat.com> [1.2.6-3.el9]
- libnftnl.map: Restore custom LIBNFTNL_RHEL_14 version (Phil Sutter) [2211096] - tests: Fix objref test case (Phil Sutter) [RHEL-28515]
- expr: Respect data_len when setting attributes (Phil Sutter) [RHEL-28515]
- obj: Respect data_len when setting attributes (Phil Sutter) [RHEL-28515]
- utils: Introduce and use nftnl_set_str_attr() (Phil Sutter) [RHEL-28515]
- obj: Enforce attr_policy compliance in nftnl_obj_set_data() (Phil Sutter) [RHEL-28515]
- obj: Introduce struct obj_ops::attr_policy (Phil Sutter) [RHEL-28515]
- obj: Call obj_ops::set with legal attributes only (Phil Sutter) [RHEL-28515]
- obj: Repurpose struct obj_ops::max_attr field (Phil Sutter) [RHEL-28515]
- obj: Return value on setters (Phil Sutter) [RHEL-28515]
- object: getters take const struct (Phil Sutter) [RHEL-28515]
- utils: Fix for wrong variable use in nftnl_assert_validate() (Phil Sutter) [RHEL-28515]
- obj: synproxy: Use memcpy() to handle potentially unaligned data (Phil Sutter) [RHEL-28515]
- obj: Do not call nftnl_obj_set_data() with zero data_len (Phil Sutter) [RHEL-28515]
- table: Validate NFTNL_TABLE_OWNER, too (Phil Sutter) [RHEL-28515]
- set: Validate NFTNL_SET_ID, too (Phil Sutter) [RHEL-28515]
- obj: Validate NFTNL_OBJ_TYPE, too (Phil Sutter) [RHEL-28515]
- flowtable: Validate NFTNL_FLOWTABLE_SIZE, too (Phil Sutter) [RHEL-28515]
- table: Validate NFTNL_TABLE_USE, too (Phil Sutter) [RHEL-28515]
- chain: Validate NFTNL_CHAIN_USE, too (Phil Sutter) [RHEL-28515]
- expr: Enforce attr_policy compliance in nftnl_expr_set() (Phil Sutter) [RHEL-28515]
- expr: Introduce struct expr_ops::attr_policy (Phil Sutter) [RHEL-28515]
- include: Sync nf_log.h with kernel headers (Phil Sutter) [RHEL-28515]
- expr: Call expr_ops::set with legal types only (Phil Sutter) [RHEL-28515]
- expr: Repurpose struct expr_ops::max_attr field (Phil Sutter) [RHEL-28515]
- udata: incorrect userdata buffer size validation (Phil Sutter) [RHEL-28515]
- obj: ct_timeout: setter checks for timeout array boundaries (Phil Sutter) [RHEL-28515]
- set_elem: use nftnl_data_cpy() in NFTNL_SET_ELEM_{KEY,KEY_END,DATA} (Phil Sutter) [RHEL-28515]
- set: buffer overflow in NFTNL_SET_DESC_CONCAT setter (Phil Sutter) [RHEL-28515]
- expr: fix buffer overflows in data value setters (Phil Sutter) [RHEL-28515]
* Tue May 30 2023 Phil Sutter <psutter@redhat.com> [1.2.2-1.el8] * Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.2.6-2.el9]
- Rebase onto version 1.2.2 (Phil Sutter) [2211096] - spec: Avoid variable name clash, add missing dist tag (Phil Sutter) [RHEL-14149]
* Fri Jan 21 2022 Phil Sutter <psutter@redhat.com> [1.1.5-5.el8] * Thu Oct 26 2023 Phil Sutter <psutter@redhat.com> [1.2.6-1.el9]
- set: expose nftnl_set_elem_nlmsg_build() (Phil Sutter) [2040754] - set: Do not leave free'd expr_list elements in place (Phil Sutter) [RHEL-14149]
- expr: dynset: release stateful expression from .free path (Phil Sutter) [2040478] - Rebase onto version 1.2.6 (Phil Sutter) [RHEL-14149]
- set_elem: missing set and build for NFTNL_SET_ELEM_EXPR (Phil Sutter) [2040478]
* Wed Feb 19 2020 Phil Sutter <psutter@redhat.com> [1.1.5-4.el8] * Tue Jun 07 2022 Phil Sutter <psutter@redhat.com> - 1.2.2-1
- src: Fix for reading garbage in nftnl_chain getters (Phil Sutter) [1758673] - New version 1.2.2
* Fri Feb 14 2020 Phil Sutter <psutter@redhat.com> [1.1.5-3.el8] * Wed May 18 2022 Phil Sutter <psutter@redhat.com> - 1.2.1-1
- set_elem: Introduce support for NFTNL_SET_ELEM_KEY_END (Phil Sutter) [1795223] - Fix debug printing for tcp option reset expression
- set: Add support for NFTA_SET_DESC_CONCAT attributes (Phil Sutter) [1795223] - new version 1.2.1
- include: resync nf_tables.h cache copy (Phil Sutter) [1795223]
* Fri Dec 06 2019 Phil Sutter <psutter@redhat.com> [1.1.5-2.el8] * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.1.9-4
- chain: Correctly check realloc() call (Phil Sutter) [1778952] - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
- flowtable: Correctly check realloc() call (Phil Sutter) [1778952] Related: rhbz#1991688
- chain: Fix memleak in error path of nftnl_chain_parse_devs() (Phil Sutter) [1778952]
- flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs() (Phil Sutter) [1778952]
* Mon Dec 02 2019 Phil Sutter <psutter@redhat.com> [1.1.5-1.el8] * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.1.9-3
- Rebase onto upstream version 1.1.5 (Phil Sutter) [1717129] - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Oct 24 2019 Phil Sutter <psutter@redhat.com> [1.1.4-3.el8] * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.9-2
- set: Export nftnl_set_list_lookup_byname() (Phil Sutter) [1762563] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Oct 17 2019 Phil Sutter <psutter@redhat.com> [1.1.4-2.el8] * Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.1.9-1
- obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser (Phil Sutter) [1758673] - Update to 1.1.9. Fixes rhbz#1916855
- set_elem: Validate nftnl_set_elem_set() parameters (Phil Sutter) [1758673]
- obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data() (Phil Sutter) [1758673]
- set: Don't bypass checks in nftnl_set_set_u{32,64}() (Phil Sutter) [1758673]
- obj/tunnel: Fix for undefined behaviour (Phil Sutter) [1758673]
- set_elem: Fix return code of nftnl_set_elem_set() (Phil Sutter) [1758673]
- obj: ct_timeout: Check return code of mnl_attr_parse_nested() (Phil Sutter) [1758673]
* Fri Oct 04 2019 Phil Sutter <psutter@redhat.com> [1.1.4-1.el8] * Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.1.8-1
- Rebase to upstream version 1.1.4 (Phil Sutter) [1717129] - Update to 1.1.8. Fixes bug #1891597
* Thu Jan 31 2019 Phil Sutter <psutter@redhat.com> [1.1.1-4.el8] * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.7-3
- src: rule: Support NFTA_RULE_POSITION_ID attribute (Phil Sutter) [1670565] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jan 29 2019 Phil Sutter <psutter@redhat.com> [1.1.1-3.el8] * Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 1.1.7-2
- src: chain: Fix nftnl_chain_rule_insert_at() (Phil Sutter) [1666495] - Use make macros
- src: chain: Add missing nftnl_chain_rule_del() (Phil Sutter) [1666495] - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- flowtable: Fix for reading garbage (Phil Sutter) [1661327]
- flowtable: Fix memleak in nftnl_flowtable_parse_devs() (Phil Sutter) [1661327]
- flowtable: Fix use after free in two spots (Phil Sutter) [1661327]
- flowtable: Add missing break (Phil Sutter) [1661327]
- object: Avoid obj_ops array overrun (Phil Sutter) [1661327]
* Mon Dec 17 2018 Phil Sutter <psutter@redhat.com> [1.1.1-2.el8] * Fri Jun 05 2020 Phil Sutter <psutter@redhat.com> - 1.1.7-1
- chain: Hash chain list by name (Phil Sutter) [1658533] - Rebase onto upstream version 1.1.7
- chain: Add lookup functions for chain list and rules in chain (Phil Sutter) [1658533]
- chain: Support per chain rules list (Phil Sutter) [1658533]
- src: remove nftnl_rule_cmp() and nftnl_expr_cmp() (Phil Sutter) [1658533]
* Thu Jul 12 2018 Phil Sutter <psutter@redhat.com> [1.1.1-1.el8] * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.5-2
- Rebase onto upstream version 1.1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
- Sync spec file with RHEL7
- Disable JSON parsing, deprecated by upstream
- Make use of builtin testsuite
* Sat Jun 23 2018 Phil Sutter - 1.0.9-3 * Wed Dec 04 2019 Phil Sutter <psutter@redhat.com> - 1.1.5-1
- Drop leftover mxml dependency [1594917] - Update to 1.1.5. Fixes bug #1778850
* Fri Aug 23 2019 Kevin Fenzi <kevin@scrye.com> - 1.1.4-1
- Update to 1.1.4. Fixes bug #1743175
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Jun 16 2019 Kevin Fenzi <kevin@scrye.com> - 1.1.3-1
- Update to 1.1.3. Fixes bug #1714231
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 20 2018 Kevin Fenzi <kevin@scrye.com> - 1.1.1-5
- Fix FTBFS bug #1604620
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jun 25 2018 Phil Sutter <psutter@redhat.com> - 1.1.1-3
- Disable running tests/test-script.sh again, it breaks builds on big endian.
* Thu Jun 14 2018 Phil Sutter <psutter@redhat.com> - 1.1.1-2
- Drop leftover mxml dependency. Fixes bug #1594107
- Enable running tests/test-scrip.sh again when checking.
* Sat Jun 09 2018 Kevin Fenzi <kevin@scrye.com> - 1.1.1-1
- Update to 1.1.1. Fixes bug #1589403
* Fri May 04 2018 Kevin Fenzi <kevin@scrye.com> - 1.1.0-1
- Update to 1.1.0. Fixes bug #1574094
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.9-2 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild