| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Wrap the common parsing of string attributes in a function. Apart from
slightly reducing code size, this unifies callers in conditional freeing
of the field in case it was set before (missing in twelve spots) and
error checking for failing strdup()-calls (missing in four spots).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Support simple (suffix) wildcards in NFTNL_{CHAIN,FLOWTABLE}_DEVICES
identified by NFTA_DEVICE_PREFIX attribute. Add helpers converting to
and from the human-readable asterisk-suffix notation.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After commit 80077787f8f2 ("src: remove json support"), these internal
functions are no longer used:
nftnl_str2hooknum
nftnl_str2ntoh
nftnl_str2cmp
str2ctkey
str2ctdir
str2exthdr_op
str2exthdr_type
str2meta_key
nftnl_str2nat
nftnl_str2range
str2rt_key
nftnl_str2hooknum
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This data structure holds an array of allocated strings for use in
nftnl_chain and nftnl_flowtable structs. For convenience, implement
functions to clear, populate and iterate over contents.
While at it, extend chain and flowtable tests to cover these attributes,
too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function consolidates the necessary code when assigning to string
pointer attributes, namely:
* Conditional free of the previous value
* Allocation of new value
* Checking for memory allocation errors
* Setting respective flag bit
A new feature previously missing in all call sites is respecting
data_len in case the buffer up to that point did not contain a NUL-char.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: cdaea7f1ced05 ("flowtable: allow to specify size")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace each by a conditional testing the only valid case.
There is one odd example, namely src/set.c: When printing a set with
type NFTNL_OUTPUT_XML, the relevant function would return 0 instead of
-1 like all others. Just drop it assuming nothing depends on that
(faulty) behaviour.
Cc: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
A common idiom among snprintf callbacks was to copy the unsigned
parameter 'size' (or 'len') into a signed variable for further use.
Though since snprintf() itself casts it to unsigned and
SNPRINTF_BUFFER_SIZE() does not allow it to become negative, this is not
needed. Drop the local variable and rename the parameter accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
The logic to build NFTA_FLOWTABLE_HOOK enforces the presence of the hook
number and priority to include the devices. Relax this to allow for
incremental device updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The original intention in eb58f53372e7 ("src: add flowtable support")
was to introduce this helper function. Add helper to set and to get
array of strings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In {s,u}{32,64} type getters nftnl_assert() is called to make sure
returned data length matches expectations. Therefore all attributes must
set data_len, which NFTNL_CHAIN_DEVICES didn't.
While being at it, do the same change for NFTNL_FLOWTABLE_DEVICES as
well to make code a bit more consistent although the problem was fixed
for flowtables with commit f8eed54150fd4 ("flowtable: Fix for reading
garbage") already (but in the other direction).
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Almost everything in this header is unused. The command defines
used in utils.c don't seem to be justified and have just been
replaced by their strings
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
In error case, allocated dev_array is not freed.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Never defined in upstream Linux kernel uAPI, remove it.
Reported-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Eric Garver <eric@garver.life>
|
| |
|
|
|
|
|
| |
Add code to implement NFTA_FLOWTABLE_HANDLE
Signed-off-by: Eric Jallot <ejallot@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
These functions make assumptions on size of passed data pointer and
therefore tend to hide programming mistakes. Instead either one of the
type-specific setters or the generic *_set_data() setter should be used.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang does not allow attribute declarations after definitions:
flowtable.c:41:1: warning: attribute declaration must precede definition [-Wignored-attributes]
EXPORT_SYMBOL(nftnl_flowtable_alloc);
^
../include/utils.h:13:41: note: expanded from macro 'EXPORT_SYMBOL'
# define EXPORT_SYMBOL(x) typeof(x) (x) __visible;
^
../include/utils.h:12:35: note: expanded from macro '__visible'
# define __visible __attribute__((visibility("default")))
^
flowtable.c:37:25: note: previous definition is here
struct nftnl_flowtable *nftnl_flowtable_alloc(void)
Move attribute declarations before the symbol definitions just like
it's done in other source files
Signed-off-by: Marvin Schmidt <marvin_schmidt@gmx.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Remove artificial upper limit of 8 devices per flowtable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
nftnl_flowtable_get_data() doesn't assign to passt data_len pointer
destination in all cases, so initialize it to 0.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Allocated strings in dev_array were not freed. Fix this by freeing them
on error path and assigning them to c->dev_array directly in regular
path.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
When freeing flowtable devices array, the loop freeing each device
string incorrectly included the call to free the device array itself.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
In nftnl_flowtable_set_data(), when setting flowtable size, the switch()
case fell through and the same value was copied into ft_flags field.
This can't be right.
Fixes: 41fe3d38ba34b ("flowtable: support for flags")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
We have better json support in libnftables these days.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
one-line wrapper, callers can use nftnl_flowtable_get/set instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
This new attribute allows you to specify the flowtable flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This new attribute allows you to specify the flowtable size.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
This patch allows you to add, delete and list flowtable through the
existing netlink interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
