basebuilder_pel7x64builder0
5 years ago
20 changed files with 6481 additions and 0 deletions
@ -0,0 +1,208 @@
@@ -0,0 +1,208 @@
|
||||
From ae89c5b2865f77ac5e3f8e6c74c9b07296a1acdf Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Thu, 14 Dec 2017 14:17:27 +0100 |
||||
Subject: [PATCH] src: fix protocol context update on big-endian systems |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1523016 |
||||
Upstream Status: nftables commit a2c55e04d5a11 |
||||
|
||||
commit a2c55e04d5a1187914cba2c02810db94de499ace |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Sat Dec 9 16:52:29 2017 +0100 |
||||
|
||||
src: fix protocol context update on big-endian systems |
||||
|
||||
There is an obscure bug on big-endian systems when trying to list a rule |
||||
containing the expression 'ct helper tftp' which triggers the assert() |
||||
call in mpz_get_type(). |
||||
|
||||
Florian identified the cause: ct_expr_pctx_update() is called for the |
||||
relational expression which calls mpz_get_uint32() to get RHS value |
||||
(assuming it is a protocol number). On big-endian systems, the |
||||
misinterpreted value exceeds UINT_MAX. |
||||
|
||||
Expressions' pctx_update() callback should only be called for protocol |
||||
matches, so ct_meta_common_postprocess() lacked a check for 'left->flags |
||||
& EXPR_F_PROTOCOL' like the one already present in |
||||
payload_expr_pctx_update(). |
||||
|
||||
In order to fix this in a clean way, this patch introduces a wrapper |
||||
relational_expr_pctx_update() to be used instead of directly calling |
||||
LHS's pctx_update() callback which unifies the necessary checks (and |
||||
adds one more assert): |
||||
|
||||
- assert(expr->ops->type == EXPR_RELATIONAL) |
||||
-> This is new, just to ensure the wrapper is called properly. |
||||
- assert(expr->op == OP_EQ) |
||||
-> This was moved from {ct,meta,payload}_expr_pctx_update(). |
||||
- left->ops->pctx_update != NULL |
||||
-> This was taken from expr_evaluate_relational(), a necessary |
||||
requirement for the introduced wrapper to function at all. |
||||
- (left->flags & EXPR_F_PROTOCOL) != 0 |
||||
-> The crucial missing check which led to the problem. |
||||
|
||||
Suggested-by: Florian Westphal <fw@strlen.de> |
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
--- |
||||
include/expression.h | 3 +++ |
||||
src/ct.c | 2 -- |
||||
src/evaluate.c | 6 ++---- |
||||
src/expression.c | 13 +++++++++++++ |
||||
src/meta.c | 2 -- |
||||
src/netlink.c | 2 +- |
||||
src/netlink_delinearize.c | 4 ++-- |
||||
src/payload.c | 7 +------ |
||||
8 files changed, 22 insertions(+), 17 deletions(-) |
||||
|
||||
diff --git a/include/expression.h b/include/expression.h |
||||
index 215cbc9..915ce0b 100644 |
||||
--- a/include/expression.h |
||||
+++ b/include/expression.h |
||||
@@ -369,6 +369,9 @@ extern struct expr *binop_expr_alloc(const struct location *loc, enum ops op, |
||||
extern struct expr *relational_expr_alloc(const struct location *loc, enum ops op, |
||||
struct expr *left, struct expr *right); |
||||
|
||||
+extern void relational_expr_pctx_update(struct proto_ctx *ctx, |
||||
+ const struct expr *expr); |
||||
+ |
||||
extern struct expr *verdict_expr_alloc(const struct location *loc, |
||||
int verdict, const char *chain); |
||||
|
||||
diff --git a/src/ct.c b/src/ct.c |
||||
index 58b873e..8ab32e9 100644 |
||||
--- a/src/ct.c |
||||
+++ b/src/ct.c |
||||
@@ -327,8 +327,6 @@ static void ct_expr_pctx_update(struct proto_ctx *ctx, const struct expr *expr) |
||||
const struct proto_desc *base = NULL, *desc; |
||||
uint32_t nhproto; |
||||
|
||||
- assert(expr->op == OP_EQ); |
||||
- |
||||
nhproto = mpz_get_uint32(right->value); |
||||
|
||||
base = ctx->protocol[left->ct.base].desc; |
||||
diff --git a/src/evaluate.c b/src/evaluate.c |
||||
index 618e188..f16bb33 100644 |
||||
--- a/src/evaluate.c |
||||
+++ b/src/evaluate.c |
||||
@@ -743,7 +743,7 @@ static int ct_gen_nh_dependency(struct eval_ctx *ctx, struct expr *ct) |
||||
constant_data_ptr(ct->ct.nfproto, left->len)); |
||||
dep = relational_expr_alloc(&ct->location, OP_EQ, left, right); |
||||
|
||||
- left->ops->pctx_update(&ctx->pctx, dep); |
||||
+ relational_expr_pctx_update(&ctx->pctx, dep); |
||||
|
||||
nstmt = expr_stmt_alloc(&dep->location, dep); |
||||
|
||||
@@ -1632,9 +1632,7 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) |
||||
* Update protocol context for payload and meta iiftype |
||||
* equality expressions. |
||||
*/ |
||||
- if (left->flags & EXPR_F_PROTOCOL && |
||||
- left->ops->pctx_update) |
||||
- left->ops->pctx_update(&ctx->pctx, rel); |
||||
+ relational_expr_pctx_update(&ctx->pctx, rel); |
||||
|
||||
if (left->ops->type == EXPR_CONCAT) |
||||
return 0; |
||||
diff --git a/src/expression.c b/src/expression.c |
||||
index fc1097a..f8b560c 100644 |
||||
--- a/src/expression.c |
||||
+++ b/src/expression.c |
||||
@@ -600,6 +600,19 @@ struct expr *relational_expr_alloc(const struct location *loc, enum ops op, |
||||
return expr; |
||||
} |
||||
|
||||
+void relational_expr_pctx_update(struct proto_ctx *ctx, |
||||
+ const struct expr *expr) |
||||
+{ |
||||
+ const struct expr *left = expr->left; |
||||
+ |
||||
+ assert(expr->ops->type == EXPR_RELATIONAL); |
||||
+ assert(expr->op == OP_EQ); |
||||
+ |
||||
+ if (left->ops->pctx_update && |
||||
+ (left->flags & EXPR_F_PROTOCOL)) |
||||
+ left->ops->pctx_update(ctx, expr); |
||||
+} |
||||
+ |
||||
static void range_expr_print(const struct expr *expr, struct output_ctx *octx) |
||||
{ |
||||
octx->numeric += NUMERIC_ALL + 1; |
||||
diff --git a/src/meta.c b/src/meta.c |
||||
index 56b9e29..3c31174 100644 |
||||
--- a/src/meta.c |
||||
+++ b/src/meta.c |
||||
@@ -482,8 +482,6 @@ static void meta_expr_pctx_update(struct proto_ctx *ctx, |
||||
const struct proto_desc *desc; |
||||
uint8_t protonum; |
||||
|
||||
- assert(expr->op == OP_EQ); |
||||
- |
||||
switch (left->meta.key) { |
||||
case NFT_META_IIFTYPE: |
||||
if (h->base < PROTO_BASE_NETWORK_HDR && |
||||
diff --git a/src/netlink.c b/src/netlink.c |
||||
index d5d410a..5d6f5ce 100644 |
||||
--- a/src/netlink.c |
||||
+++ b/src/netlink.c |
||||
@@ -2729,7 +2729,7 @@ restart: |
||||
list_add_tail(&stmt->list, &unordered); |
||||
|
||||
desc = ctx->protocol[base].desc; |
||||
- lhs->ops->pctx_update(ctx, rel); |
||||
+ relational_expr_pctx_update(ctx, rel); |
||||
} |
||||
|
||||
expr_free(rhs); |
||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c |
||||
index 4432887..11fd330 100644 |
||||
--- a/src/netlink_delinearize.c |
||||
+++ b/src/netlink_delinearize.c |
||||
@@ -1329,7 +1329,7 @@ static void payload_match_expand(struct rule_pp_ctx *ctx, |
||||
nexpr = relational_expr_alloc(&expr->location, expr->op, |
||||
left, tmp); |
||||
if (expr->op == OP_EQ) |
||||
- left->ops->pctx_update(&ctx->pctx, nexpr); |
||||
+ relational_expr_pctx_update(&ctx->pctx, nexpr); |
||||
|
||||
nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr); |
||||
list_add_tail(&nstmt->list, &ctx->stmt->list); |
||||
@@ -1397,7 +1397,7 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx, |
||||
if (expr->right->ops->type == EXPR_RANGE) |
||||
break; |
||||
|
||||
- expr->left->ops->pctx_update(&ctx->pctx, expr); |
||||
+ relational_expr_pctx_update(&ctx->pctx, expr); |
||||
|
||||
if (ctx->pdctx.pbase == PROTO_BASE_INVALID && |
||||
left->flags & EXPR_F_PROTOCOL) { |
||||
diff --git a/src/payload.c b/src/payload.c |
||||
index aa8a95a..60090ac 100644 |
||||
--- a/src/payload.c |
||||
+++ b/src/payload.c |
||||
@@ -84,11 +84,6 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx, |
||||
const struct proto_desc *base, *desc; |
||||
unsigned int proto = 0; |
||||
|
||||
- if (!(left->flags & EXPR_F_PROTOCOL)) |
||||
- return; |
||||
- |
||||
- assert(expr->op == OP_EQ); |
||||
- |
||||
/* Export the data in the correct byte order */ |
||||
assert(right->len / BITS_PER_BYTE <= sizeof(proto)); |
||||
mpz_export_data(constant_data_ptr(proto, right->len), right->value, |
||||
@@ -240,7 +235,7 @@ static int payload_add_dependency(struct eval_ctx *ctx, |
||||
return expr_error(ctx->msgs, expr, |
||||
"dependency statement is invalid"); |
||||
} |
||||
- left->ops->pctx_update(&ctx->pctx, dep); |
||||
+ relational_expr_pctx_update(&ctx->pctx, dep); |
||||
*res = stmt; |
||||
return 0; |
||||
} |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,48 @@
@@ -0,0 +1,48 @@
|
||||
From d0d83585f7f6a74ac02338a37c6860cd2f26b33b Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Thu, 14 Dec 2017 14:18:17 +0100 |
||||
Subject: [PATCH] netlink_linearize: exthdr op must be u32 |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1524246 |
||||
Upstream Status: nftables commit 80f5d7fd66895 |
||||
|
||||
commit 80f5d7fd66895c651c9d1e35b2353f3020ffb538 |
||||
Author: Florian Westphal <fw@strlen.de> |
||||
Date: Mon Dec 11 10:06:55 2017 +0100 |
||||
|
||||
netlink_linearize: exthdr op must be u32 |
||||
|
||||
libnftnl casts this to u32. Broke exthdr expressions on bigendian. |
||||
|
||||
Reported-by: Li Shuang <shuali@redhat.com> |
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/netlink_linearize.c | 4 ++-- |
||||
1 file changed, 2 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c |
||||
index fb2d250..a268dcc 100644 |
||||
--- a/src/netlink_linearize.c |
||||
+++ b/src/netlink_linearize.c |
||||
@@ -178,7 +178,7 @@ static void netlink_gen_exthdr(struct netlink_linearize_ctx *ctx, |
||||
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE); |
||||
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN, |
||||
div_round_up(expr->len, BITS_PER_BYTE)); |
||||
- nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op); |
||||
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op); |
||||
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_FLAGS, expr->exthdr.flags); |
||||
nftnl_rule_add_expr(ctx->nlr, nle); |
||||
} |
||||
@@ -839,7 +839,7 @@ static void netlink_gen_exthdr_stmt(struct netlink_linearize_ctx *ctx, |
||||
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE); |
||||
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN, |
||||
div_round_up(expr->len, BITS_PER_BYTE)); |
||||
- nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op); |
||||
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op); |
||||
nftnl_rule_add_expr(ctx->nlr, nle); |
||||
} |
||||
|
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,63 @@
@@ -0,0 +1,63 @@
|
||||
From ed405d0eafc7b1f71013cf42f9ed550d64ec56c5 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 6 Jun 2018 10:44:43 +0200 |
||||
Subject: [PATCH] src: avoid errouneous assert with map+concat |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1540917 |
||||
Upstream Status: nftables commit 483e5ea7167e1 |
||||
|
||||
commit 483e5ea7167e1537accf4cb083b88a8beea8f834 |
||||
Author: Florian Westphal <fw@strlen.de> |
||||
Date: Tue Mar 27 09:29:54 2018 +0200 |
||||
|
||||
src: avoid errouneous assert with map+concat |
||||
|
||||
Phil reported following assert: |
||||
|
||||
add rule ip6 f o mark set ip6 saddr . ip6 daddr . tcp dport \ |
||||
map { dead::beef . f00::. 22 : 1 } |
||||
nft: netlink_linearize.c:655: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. |
||||
|
||||
This happens because "mark set" will allocate one register (the dreg), |
||||
but netlink_gen_concat_expr will populate a lot more register space if |
||||
the concat expression strings a lot of expressions together. |
||||
|
||||
As the assert is useful pseudo-reserve the register space as per |
||||
concat->len and undo after generating the expressions. |
||||
|
||||
Reported-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
--- |
||||
src/netlink_linearize.c | 8 ++++++++ |
||||
1 file changed, 8 insertions(+) |
||||
|
||||
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c |
||||
index a268dcc..e9a4515 100644 |
||||
--- a/src/netlink_linearize.c |
||||
+++ b/src/netlink_linearize.c |
||||
@@ -243,6 +243,7 @@ static void netlink_gen_map(struct netlink_linearize_ctx *ctx, |
||||
{ |
||||
struct nftnl_expr *nle; |
||||
enum nft_registers sreg; |
||||
+ int regspace = 0; |
||||
|
||||
assert(expr->mappings->ops->type == EXPR_SET_REF); |
||||
|
||||
@@ -251,7 +252,14 @@ static void netlink_gen_map(struct netlink_linearize_ctx *ctx, |
||||
else |
||||
sreg = dreg; |
||||
|
||||
+ /* suppress assert in netlink_gen_expr */ |
||||
+ if (expr->map->ops->type == EXPR_CONCAT) { |
||||
+ regspace = netlink_register_space(expr->map->len); |
||||
+ ctx->reg_low += regspace; |
||||
+ } |
||||
+ |
||||
netlink_gen_expr(ctx, expr->map, sreg); |
||||
+ ctx->reg_low -= regspace; |
||||
|
||||
nle = alloc_nft_expr("lookup"); |
||||
netlink_put_register(nle, NFTNL_EXPR_LOOKUP_SREG, sreg); |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,121 @@
@@ -0,0 +1,121 @@
|
||||
From 8a8b80fafcbf3843e1736daff707b7cb5b64f31f Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:00 +0200 |
||||
Subject: [PATCH] Review switch statements for unmarked fall through cases |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit 7f31d3191622b |
||||
|
||||
commit 7f31d3191622b650521014e311ace96aa7c5522c |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Wed Feb 28 16:06:16 2018 +0100 |
||||
|
||||
Review switch statements for unmarked fall through cases |
||||
|
||||
While revisiting all of them, clear a few oddities as well: |
||||
|
||||
- There's no point in marking empty fall through cases: They are easy to |
||||
spot and a common concept when using switch(). |
||||
|
||||
- Fix indenting of break statement in one occasion. |
||||
|
||||
- Drop needless braces around one case which doesn't declare variables. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
--- |
||||
src/ct.c | 2 +- |
||||
src/evaluate.c | 1 + |
||||
src/hash.c | 2 +- |
||||
src/netlink_delinearize.c | 1 + |
||||
src/rule.c | 5 +++-- |
||||
5 files changed, 7 insertions(+), 4 deletions(-) |
||||
|
||||
diff --git a/src/ct.c b/src/ct.c |
||||
index 8ab32e9..1e06013 100644 |
||||
--- a/src/ct.c |
||||
+++ b/src/ct.c |
||||
@@ -289,7 +289,7 @@ static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto, |
||||
} |
||||
|
||||
switch (key) { |
||||
- case NFT_CT_SRC: /* fallthrough */ |
||||
+ case NFT_CT_SRC: |
||||
case NFT_CT_DST: |
||||
desc = proto_find_upper(&proto_inet, nfproto); |
||||
if (desc) |
||||
diff --git a/src/evaluate.c b/src/evaluate.c |
||||
index f16bb33..25a7376 100644 |
||||
--- a/src/evaluate.c |
||||
+++ b/src/evaluate.c |
||||
@@ -2705,6 +2705,7 @@ static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt) |
||||
|
||||
map->mappings->set->flags |= |
||||
map->mappings->set->init->set_flags; |
||||
+ /* fall through */ |
||||
case EXPR_SYMBOL: |
||||
if (expr_evaluate(ctx, &map->mappings) < 0) |
||||
return -1; |
||||
diff --git a/src/hash.c b/src/hash.c |
||||
index 9cd3c8c..3355cad 100644 |
||||
--- a/src/hash.c |
||||
+++ b/src/hash.c |
||||
@@ -20,7 +20,7 @@ static void hash_expr_print(const struct expr *expr, struct output_ctx *octx) |
||||
switch (expr->hash.type) { |
||||
case NFT_HASH_SYM: |
||||
nft_print(octx, "symhash"); |
||||
- break; |
||||
+ break; |
||||
case NFT_HASH_JENKINS: |
||||
default: |
||||
nft_print(octx, "jhash "); |
||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c |
||||
index 11fd330..61cba52 100644 |
||||
--- a/src/netlink_delinearize.c |
||||
+++ b/src/netlink_delinearize.c |
||||
@@ -1411,6 +1411,7 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx, |
||||
case OP_NEQ: |
||||
if (right->ops->type != EXPR_SET && right->ops->type != EXPR_SET_REF) |
||||
break; |
||||
+ /* fall through */ |
||||
case OP_LOOKUP: |
||||
expr_set_type(right, left->dtype, left->byteorder); |
||||
break; |
||||
diff --git a/src/rule.c b/src/rule.c |
||||
index d744cf6..e7ccb2b 100644 |
||||
--- a/src/rule.c |
||||
+++ b/src/rule.c |
||||
@@ -1297,7 +1297,7 @@ static void obj_print_data(const struct obj *obj, |
||||
} |
||||
} |
||||
break; |
||||
- case NFT_OBJECT_CT_HELPER: { |
||||
+ case NFT_OBJECT_CT_HELPER: |
||||
nft_print(octx, "ct helper %s {\n", obj->handle.obj); |
||||
nft_print(octx, "\t\ttype \"%s\" protocol ", |
||||
obj->ct_helper.name); |
||||
@@ -1305,7 +1305,6 @@ static void obj_print_data(const struct obj *obj, |
||||
nft_print(octx, "\t\tl3proto %s", |
||||
family2str(obj->ct_helper.l3proto)); |
||||
break; |
||||
- } |
||||
case NFT_OBJECT_LIMIT: { |
||||
bool inv = obj->limit.flags & NFT_LIMIT_F_INV; |
||||
const char *data_unit; |
||||
@@ -1617,11 +1616,13 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd) |
||||
switch (cmd->obj) { |
||||
case CMD_OBJ_COUNTERS: |
||||
dump = true; |
||||
+ /* fall through */ |
||||
case CMD_OBJ_COUNTER: |
||||
type = NFT_OBJECT_COUNTER; |
||||
break; |
||||
case CMD_OBJ_QUOTAS: |
||||
dump = true; |
||||
+ /* fall through */ |
||||
case CMD_OBJ_QUOTA: |
||||
type = NFT_OBJECT_QUOTA; |
||||
break; |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,128 @@
@@ -0,0 +1,128 @@
|
||||
From 696fd8bbb2c654a1d16849fef0f0ae362739def4 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:00 +0200 |
||||
Subject: [PATCH] monitor: Make trace events respect output_fp |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit 657472843e7a7 |
||||
|
||||
commit 657472843e7a7a4bc7f756356e6636b1f197b745 |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Wed Feb 28 16:04:27 2018 +0100 |
||||
|
||||
monitor: Make trace events respect output_fp |
||||
|
||||
Seems like this was incompletely converted, part of the output went to |
||||
output_fp already. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/netlink.c | 38 +++++++++++++++++++++----------------- |
||||
1 file changed, 21 insertions(+), 17 deletions(-) |
||||
|
||||
diff --git a/src/netlink.c b/src/netlink.c |
||||
index 5d6f5ce..d839ded 100644 |
||||
--- a/src/netlink.c |
||||
+++ b/src/netlink.c |
||||
@@ -2587,14 +2587,18 @@ static void netlink_events_cache_update(struct netlink_mon_handler *monh, |
||||
} |
||||
} |
||||
|
||||
-static void trace_print_hdr(const struct nftnl_trace *nlt) |
||||
+static void trace_print_hdr(const struct nftnl_trace *nlt, |
||||
+ struct output_ctx *octx) |
||||
{ |
||||
- printf("trace id %08x ", nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID)); |
||||
- printf("%s ", family2str(nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY))); |
||||
+ nft_print(octx, "trace id %08x %s ", |
||||
+ nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID), |
||||
+ family2str(nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY))); |
||||
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_TABLE)) |
||||
- printf("%s ", nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE)); |
||||
+ nft_print(octx, "%s ", |
||||
+ nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE)); |
||||
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_CHAIN)) |
||||
- printf("%s ", nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN)); |
||||
+ nft_print(octx, "%s ", |
||||
+ nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN)); |
||||
} |
||||
|
||||
static void trace_print_expr(const struct nftnl_trace *nlt, unsigned int attr, |
||||
@@ -2611,7 +2615,7 @@ static void trace_print_expr(const struct nftnl_trace *nlt, unsigned int attr, |
||||
rel = relational_expr_alloc(&netlink_location, OP_EQ, lhs, rhs); |
||||
|
||||
expr_print(rel, octx); |
||||
- printf(" "); |
||||
+ nft_print(octx, " "); |
||||
expr_free(rel); |
||||
} |
||||
|
||||
@@ -2661,12 +2665,12 @@ static void trace_print_rule(const struct nftnl_trace *nlt, |
||||
if (!rule) |
||||
return; |
||||
|
||||
- trace_print_hdr(nlt); |
||||
- printf("rule "); |
||||
+ trace_print_hdr(nlt, octx); |
||||
+ nft_print(octx, "rule "); |
||||
rule_print(rule, octx); |
||||
- printf(" ("); |
||||
+ nft_print(octx, " ("); |
||||
trace_print_verdict(nlt, octx); |
||||
- printf(")\n"); |
||||
+ nft_print(octx, ")\n"); |
||||
} |
||||
|
||||
static void trace_gen_stmts(struct list_head *stmts, |
||||
@@ -2775,9 +2779,9 @@ static void trace_print_packet(const struct nftnl_trace *nlt, |
||||
uint32_t nfproto; |
||||
struct stmt *stmt, *next; |
||||
|
||||
- trace_print_hdr(nlt); |
||||
+ trace_print_hdr(nlt, octx); |
||||
|
||||
- printf("packet: "); |
||||
+ nft_print(octx, "packet: "); |
||||
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_IIF)) |
||||
trace_print_expr(nlt, NFTNL_TRACE_IIF, |
||||
meta_expr_alloc(&netlink_location, |
||||
@@ -2813,10 +2817,10 @@ static void trace_print_packet(const struct nftnl_trace *nlt, |
||||
|
||||
list_for_each_entry_safe(stmt, next, &stmts, list) { |
||||
stmt_print(stmt, octx); |
||||
- printf(" "); |
||||
+ nft_print(octx, " "); |
||||
stmt_free(stmt); |
||||
} |
||||
- printf("\n"); |
||||
+ nft_print(octx, "\n"); |
||||
} |
||||
|
||||
static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type, |
||||
@@ -2844,11 +2848,11 @@ static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type, |
||||
break; |
||||
case NFT_TRACETYPE_POLICY: |
||||
case NFT_TRACETYPE_RETURN: |
||||
- trace_print_hdr(nlt); |
||||
+ trace_print_hdr(nlt, monh->ctx->octx); |
||||
|
||||
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_VERDICT)) { |
||||
trace_print_verdict(nlt, monh->ctx->octx); |
||||
- printf(" "); |
||||
+ nft_mon_print(monh, " "); |
||||
} |
||||
|
||||
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_MARK)) |
||||
@@ -2856,7 +2860,7 @@ static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type, |
||||
meta_expr_alloc(&netlink_location, |
||||
NFT_META_MARK), |
||||
monh->ctx->octx); |
||||
- printf("\n"); |
||||
+ nft_mon_print(monh, "\n"); |
||||
break; |
||||
} |
||||
|
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,120 @@
@@ -0,0 +1,120 @@
|
||||
From fa5ccccd164b7285c4d105265ece4ea7ccdd996a Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:00 +0200 |
||||
Subject: [PATCH] monitor: Make JSON/XML output respect output_fp |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit 59034b47590d7 |
||||
|
||||
commit 59034b47590d7cd19ba2fda24bf4426c355f95bc |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Wed Feb 28 16:04:28 2018 +0100 |
||||
|
||||
monitor: Make JSON/XML output respect output_fp |
||||
|
||||
Make sure events callbacks print to output_ctx-defined stream for any |
||||
type of output format. |
||||
|
||||
Since all of them use nft_print() as last call (if anything is printed |
||||
at all), the final call to fflush() in netlink_events_cb() can be |
||||
dropped. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/netlink.c | 37 ++++++++++++++++++------------------- |
||||
1 file changed, 18 insertions(+), 19 deletions(-) |
||||
|
||||
diff --git a/src/netlink.c b/src/netlink.c |
||||
index d839ded..ca0e207 100644 |
||||
--- a/src/netlink.c |
||||
+++ b/src/netlink.c |
||||
@@ -2015,9 +2015,9 @@ static int netlink_events_table_cb(const struct nlmsghdr *nlh, int type, |
||||
break; |
||||
case NFTNL_OUTPUT_XML: |
||||
case NFTNL_OUTPUT_JSON: |
||||
- nftnl_table_fprintf(stdout, nlt, monh->format, |
||||
- netlink_msg2nftnl_of(type)); |
||||
- fprintf(stdout, "\n"); |
||||
+ nftnl_table_fprintf(monh->ctx->octx->output_fp, nlt, |
||||
+ monh->format, netlink_msg2nftnl_of(type)); |
||||
+ nft_mon_print(monh, "\n"); |
||||
break; |
||||
} |
||||
|
||||
@@ -2057,9 +2057,9 @@ static int netlink_events_chain_cb(const struct nlmsghdr *nlh, int type, |
||||
break; |
||||
case NFTNL_OUTPUT_XML: |
||||
case NFTNL_OUTPUT_JSON: |
||||
- nftnl_chain_fprintf(stdout, nlc, monh->format, |
||||
- netlink_msg2nftnl_of(type)); |
||||
- fprintf(stdout, "\n"); |
||||
+ nftnl_chain_fprintf(monh->ctx->octx->output_fp, nlc, |
||||
+ monh->format, netlink_msg2nftnl_of(type)); |
||||
+ nft_mon_print(monh, "\n"); |
||||
break; |
||||
} |
||||
|
||||
@@ -2104,9 +2104,9 @@ static int netlink_events_set_cb(const struct nlmsghdr *nlh, int type, |
||||
break; |
||||
case NFTNL_OUTPUT_XML: |
||||
case NFTNL_OUTPUT_JSON: |
||||
- nftnl_set_fprintf(stdout, nls, monh->format, |
||||
- netlink_msg2nftnl_of(type)); |
||||
- fprintf(stdout, "\n"); |
||||
+ nftnl_set_fprintf(monh->ctx->octx->output_fp, nls, |
||||
+ monh->format, netlink_msg2nftnl_of(type)); |
||||
+ nft_mon_print(monh, "\n"); |
||||
break; |
||||
} |
||||
out: |
||||
@@ -2253,9 +2253,9 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, |
||||
break; |
||||
case NFTNL_OUTPUT_XML: |
||||
case NFTNL_OUTPUT_JSON: |
||||
- nftnl_set_fprintf(stdout, nls, monh->format, |
||||
- netlink_msg2nftnl_of(type)); |
||||
- fprintf(stdout, "\n"); |
||||
+ nftnl_set_fprintf(monh->ctx->octx->output_fp, nls, |
||||
+ monh->format, netlink_msg2nftnl_of(type)); |
||||
+ nft_mon_print(monh, "\n"); |
||||
break; |
||||
} |
||||
out: |
||||
@@ -2298,9 +2298,9 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type, |
||||
break; |
||||
case NFTNL_OUTPUT_XML: |
||||
case NFTNL_OUTPUT_JSON: |
||||
- nftnl_obj_fprintf(stdout, nlo, monh->format, |
||||
- netlink_msg2nftnl_of(type)); |
||||
- fprintf(stdout, "\n"); |
||||
+ nftnl_obj_fprintf(monh->ctx->octx->output_fp, nlo, |
||||
+ monh->format, netlink_msg2nftnl_of(type)); |
||||
+ nft_mon_print(monh, "\n"); |
||||
break; |
||||
} |
||||
|
||||
@@ -2354,9 +2354,9 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type, |
||||
break; |
||||
case NFTNL_OUTPUT_XML: |
||||
case NFTNL_OUTPUT_JSON: |
||||
- nftnl_rule_fprintf(stdout, nlr, monh->format, |
||||
- netlink_msg2nftnl_of(type)); |
||||
- fprintf(stdout, "\n"); |
||||
+ nftnl_rule_fprintf(monh->ctx->octx->output_fp, nlr, |
||||
+ monh->format, netlink_msg2nftnl_of(type)); |
||||
+ nft_mon_print(monh, "\n"); |
||||
break; |
||||
} |
||||
|
||||
@@ -2985,7 +2985,6 @@ static int netlink_events_cb(const struct nlmsghdr *nlh, void *data) |
||||
ret = netlink_events_newgen_cb(nlh, type, monh); |
||||
break; |
||||
} |
||||
- fflush(stdout); |
||||
|
||||
return ret; |
||||
} |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,69 @@
@@ -0,0 +1,69 @@
|
||||
From a5e89843a77c234f1f858737b676161ff8ee0227 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:00 +0200 |
||||
Subject: [PATCH] cli: Drop pointless check in cli_append_multiline() |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit f51ed1db70abd |
||||
Conflicts: Context change due to missing commit |
||||
4c15b4008c249 ("cli: Use nft_run_cmd_from_buffer()") |
||||
|
||||
commit f51ed1db70abdbb909e81bc670ffdfa05f421257 |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Thu Mar 1 15:00:27 2018 +0100 |
||||
|
||||
cli: Drop pointless check in cli_append_multiline() |
||||
|
||||
The function is called from cli_complete after it has checked for line |
||||
to be != NULL. The other part of the conditional, namely multiline being |
||||
NULL, is perfectly valid (if the last read line didn't end with |
||||
backslash. Hence drop the conditional completely. |
||||
|
||||
Since variable eof is not used anywhere outside of the dropped |
||||
conditional, get rid of it completely. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/cli.c | 12 ++---------- |
||||
1 file changed, 2 insertions(+), 10 deletions(-) |
||||
|
||||
diff --git a/src/cli.c b/src/cli.c |
||||
index cadc3af..53427a0 100644 |
||||
--- a/src/cli.c |
||||
+++ b/src/cli.c |
||||
@@ -46,21 +46,13 @@ static struct mnl_socket *cli_nf_sock; |
||||
static void *scanner; |
||||
static char histfile[PATH_MAX]; |
||||
static char *multiline; |
||||
-static bool eof; |
||||
|
||||
static char *cli_append_multiline(char *line) |
||||
{ |
||||
+ size_t len = strlen(line); |
||||
bool complete = false; |
||||
- size_t len; |
||||
char *s; |
||||
|
||||
- if (line == NULL && multiline == NULL) { |
||||
- eof = true; |
||||
- return NULL; |
||||
- } |
||||
- |
||||
- len = strlen(line); |
||||
- |
||||
if (len == 0) |
||||
return NULL; |
||||
|
||||
@@ -174,7 +166,7 @@ int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock, |
||||
state = _state; |
||||
scanner = scanner_init(state); |
||||
|
||||
- while (!eof) |
||||
+ while (true) |
||||
rl_callback_read_char(); |
||||
return 0; |
||||
} |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,56 @@
@@ -0,0 +1,56 @@
|
||||
From 76bfabfffc6d10f3b55c896dc7afc24fa3a71fc9 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:47 +0200 |
||||
Subject: [PATCH] erec: Avoid passing negative offset to fseek() |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit 3570b6bc8b4f1 |
||||
|
||||
commit 3570b6bc8b4f136d07121b28cd79b6356e8e969b |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Thu Mar 1 15:00:28 2018 +0100 |
||||
|
||||
erec: Avoid passing negative offset to fseek() |
||||
|
||||
If the initial call to ftell() fails, variable orig_offset is set to -1. |
||||
Avoid passing this to fseek() later on. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/erec.c | 10 +++++----- |
||||
1 file changed, 5 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/src/erec.c b/src/erec.c |
||||
index 80806ff..8de249d 100644 |
||||
--- a/src/erec.c |
||||
+++ b/src/erec.c |
||||
@@ -121,7 +121,7 @@ void erec_print(struct output_ctx *octx, const struct error_record *erec, |
||||
char buf[1024] = {}; |
||||
char *pbuf = NULL; |
||||
unsigned int i, end; |
||||
- int l, ret; |
||||
+ int l; |
||||
off_t orig_offset = 0; |
||||
FILE *f = octx->output_fp; |
||||
|
||||
@@ -136,12 +136,12 @@ void erec_print(struct output_ctx *octx, const struct error_record *erec, |
||||
break; |
||||
case INDESC_FILE: |
||||
orig_offset = ftell(indesc->fp); |
||||
- fseek(indesc->fp, loc->line_offset, SEEK_SET); |
||||
- ret = fread(buf, 1, sizeof(buf) - 1, indesc->fp); |
||||
- if (ret > 0) |
||||
+ if (orig_offset >= 0 && |
||||
+ !fseek(indesc->fp, loc->line_offset, SEEK_SET) && |
||||
+ fread(buf, 1, sizeof(buf) - 1, indesc->fp) > 0 && |
||||
+ !fseek(indesc->fp, orig_offset, SEEK_SET)) |
||||
*strchrnul(buf, '\n') = '\0'; |
||||
line = buf; |
||||
- fseek(indesc->fp, orig_offset, SEEK_SET); |
||||
break; |
||||
case INDESC_INTERNAL: |
||||
case INDESC_NETLINK: |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,60 @@
@@ -0,0 +1,60 @@
|
||||
From 56d8528fdd3c3f7db138622d94d2a6bac6b46e4e Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:47 +0200 |
||||
Subject: [PATCH] evaluate: Fix memleak in stmt_reject_gen_dependency() |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit edcf3adcf4c4c |
||||
|
||||
commit edcf3adcf4c4cf58cb0b965b984a512b12181a58 |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Thu Mar 1 15:00:29 2018 +0100 |
||||
|
||||
evaluate: Fix memleak in stmt_reject_gen_dependency() |
||||
|
||||
The allocated payload expression is not used after returning from that |
||||
function, so it needs to be freed again. |
||||
|
||||
Simple test case: |
||||
|
||||
| nft add rule inet t c reject with tcp reset |
||||
|
||||
Valgrind reports definitely lost 144 bytes. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/evaluate.c | 10 +++++++--- |
||||
1 file changed, 7 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/src/evaluate.c b/src/evaluate.c |
||||
index 25a7376..8552e4a 100644 |
||||
--- a/src/evaluate.c |
||||
+++ b/src/evaluate.c |
||||
@@ -2136,8 +2136,10 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt, |
||||
if (ret <= 0) |
||||
return ret; |
||||
|
||||
- if (payload_gen_dependency(ctx, payload, &nstmt) < 0) |
||||
- return -1; |
||||
+ if (payload_gen_dependency(ctx, payload, &nstmt) < 0) { |
||||
+ ret = -1; |
||||
+ goto out; |
||||
+ } |
||||
|
||||
/* |
||||
* Unlike payload deps this adds the dependency at the beginning, i.e. |
||||
@@ -2148,7 +2150,9 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt, |
||||
* Otherwise we'd log things that won't be rejected. |
||||
*/ |
||||
list_add(&nstmt->list, &ctx->rule->stmts); |
||||
- return 0; |
||||
+out: |
||||
+ xfree(payload); |
||||
+ return ret; |
||||
} |
||||
|
||||
static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx, |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,49 @@
@@ -0,0 +1,49 @@
|
||||
From 76a8ca39b3f95b898cd92546fb87ccaa2d1922c7 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:47 +0200 |
||||
Subject: [PATCH] hash: Fix potential null-pointer dereference in |
||||
hash_expr_cmp() |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit 5043a1e4847c0 |
||||
|
||||
commit 5043a1e4847c0149dabaf0b529a14a43b957e5e4 |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Thu Mar 1 15:00:30 2018 +0100 |
||||
|
||||
hash: Fix potential null-pointer dereference in hash_expr_cmp() |
||||
|
||||
The first part of the conditional: |
||||
|
||||
| (e1->hash.expr || expr_cmp(e1->hash.expr, e2->hash.expr)) |
||||
|
||||
will call expr_cmp() in case e1->hash.expr is NULL, causing null-pointer |
||||
dereference. This is probably a typo, the intention when introducing |
||||
this was to avoid the call to expr_cmp() for symmetric hash expressions |
||||
which don't use expr->hash.expr. Inverting the existence check should |
||||
fix this. |
||||
|
||||
Fixes: 3a86406729782 ("src: hash: support of symmetric hash") |
||||
Cc: Laura Garcia Liebana <nevola@gmail.com> |
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/hash.c | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/hash.c b/src/hash.c |
||||
index 3355cad..e699963 100644 |
||||
--- a/src/hash.c |
||||
+++ b/src/hash.c |
||||
@@ -36,7 +36,7 @@ static void hash_expr_print(const struct expr *expr, struct output_ctx *octx) |
||||
|
||||
static bool hash_expr_cmp(const struct expr *e1, const struct expr *e2) |
||||
{ |
||||
- return (e1->hash.expr || |
||||
+ return (!e1->hash.expr || |
||||
expr_cmp(e1->hash.expr, e2->hash.expr)) && |
||||
e1->hash.mod == e2->hash.mod && |
||||
e1->hash.seed_set == e2->hash.seed_set && |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
From 094f7dd2dce0c449313f1f1ea69dc849fc89b62a Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:47 +0200 |
||||
Subject: [PATCH] netlink: Complain if setting O_NONBLOCK fails |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit 4342fcbd40534 |
||||
|
||||
commit 4342fcbd40534158107ebe6a10e5f7886b3e8ced |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Thu Mar 1 15:00:31 2018 +0100 |
||||
|
||||
netlink: Complain if setting O_NONBLOCK fails |
||||
|
||||
Assuming that code is not aware that reads from netlink socket may |
||||
block, treat inability to set O_NONBLOCK flag as fatal initialization |
||||
error aborting program execution. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/netlink.c | 3 ++- |
||||
1 file changed, 2 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/netlink.c b/src/netlink.c |
||||
index ca0e207..ebfad18 100644 |
||||
--- a/src/netlink.c |
||||
+++ b/src/netlink.c |
||||
@@ -58,7 +58,8 @@ struct mnl_socket *netlink_open_sock(void) |
||||
if (nf_sock == NULL) |
||||
netlink_init_error(); |
||||
|
||||
- fcntl(mnl_socket_get_fd(nf_sock), F_SETFL, O_NONBLOCK); |
||||
+ if (fcntl(mnl_socket_get_fd(nf_sock), F_SETFL, O_NONBLOCK)) |
||||
+ netlink_init_error(); |
||||
|
||||
return nf_sock; |
||||
} |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,351 @@
@@ -0,0 +1,351 @@
|
||||
From 5e9e2dc7e972f6bbbc0156ad97b4ee9d11fcb837 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:22:47 +0200 |
||||
Subject: [PATCH] netlink_delinearize: Fix resource leaks |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 |
||||
Upstream Status: nftables commit 671851617c8d8 |
||||
|
||||
commit 671851617c8d8c1dfe9822eee8dcc7b827fff850 |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Thu Mar 1 15:00:32 2018 +0100 |
||||
|
||||
netlink_delinearize: Fix resource leaks |
||||
|
||||
Most of the cases are basically the same: Error path fails to free the |
||||
previously allocated statement or expression. A few cases received |
||||
special treatment though: |
||||
|
||||
- In netlink_parse_payload_stmt(), the leak is easily avoided by code |
||||
reordering. |
||||
|
||||
- In netlink_parse_exthdr(), there's no point in introducing a goto |
||||
label since there is but a single affected error check. |
||||
|
||||
- In netlink_parse_hash() non-error path leaked as well if sreg |
||||
contained a concatenated expression. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
src/netlink_delinearize.c | 144 +++++++++++++++++++++++++++++----------------- |
||||
1 file changed, 92 insertions(+), 52 deletions(-) |
||||
|
||||
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c |
||||
index 61cba52..e25160a 100644 |
||||
--- a/src/netlink_delinearize.c |
||||
+++ b/src/netlink_delinearize.c |
||||
@@ -470,15 +470,15 @@ static void netlink_parse_payload_stmt(struct netlink_parse_ctx *ctx, |
||||
offset = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_OFFSET) * BITS_PER_BYTE; |
||||
len = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_LEN) * BITS_PER_BYTE; |
||||
|
||||
- expr = payload_expr_alloc(loc, NULL, 0); |
||||
- payload_init_raw(expr, base, offset, len); |
||||
- |
||||
sreg = netlink_parse_register(nle, NFTNL_EXPR_PAYLOAD_SREG); |
||||
val = netlink_get_register(ctx, loc, sreg); |
||||
if (val == NULL) |
||||
return netlink_error(ctx, loc, |
||||
"payload statement has no expression"); |
||||
|
||||
+ expr = payload_expr_alloc(loc, NULL, 0); |
||||
+ payload_init_raw(expr, base, offset, len); |
||||
+ |
||||
stmt = payload_stmt_alloc(loc, expr, val); |
||||
|
||||
list_add_tail(&stmt->list, &ctx->rule->stmts); |
||||
@@ -523,9 +523,11 @@ static void netlink_parse_exthdr(struct netlink_parse_ctx *ctx, |
||||
|
||||
sreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_SREG); |
||||
val = netlink_get_register(ctx, loc, sreg); |
||||
- if (val == NULL) |
||||
+ if (val == NULL) { |
||||
+ xfree(expr); |
||||
return netlink_error(ctx, loc, |
||||
"exthdr statement has no expression"); |
||||
+ } |
||||
|
||||
expr_set_type(val, expr->dtype, expr->byteorder); |
||||
|
||||
@@ -556,22 +558,27 @@ static void netlink_parse_hash(struct netlink_parse_ctx *ctx, |
||||
sreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_SREG); |
||||
hexpr = netlink_get_register(ctx, loc, sreg); |
||||
|
||||
- if (hexpr == NULL) |
||||
- return |
||||
+ if (hexpr == NULL) { |
||||
netlink_error(ctx, loc, |
||||
"hash statement has no expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
len = nftnl_expr_get_u32(nle, |
||||
NFTNL_EXPR_HASH_LEN) * BITS_PER_BYTE; |
||||
if (hexpr->len < len) { |
||||
+ xfree(hexpr); |
||||
hexpr = netlink_parse_concat_expr(ctx, loc, sreg, len); |
||||
if (hexpr == NULL) |
||||
- return; |
||||
+ goto out_err; |
||||
} |
||||
expr->hash.expr = hexpr; |
||||
} |
||||
|
||||
dreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_DREG); |
||||
netlink_set_register(ctx, dreg, expr); |
||||
+ return; |
||||
+out_err: |
||||
+ xfree(expr); |
||||
} |
||||
|
||||
static void netlink_parse_fib(struct netlink_parse_ctx *ctx, |
||||
@@ -853,10 +860,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, |
||||
reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MIN); |
||||
if (reg1) { |
||||
addr = netlink_get_register(ctx, loc, reg1); |
||||
- if (addr == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "NAT statement has no address " |
||||
- "expression"); |
||||
+ if (addr == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "NAT statement has no address expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
if (family == AF_INET) |
||||
expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN); |
||||
@@ -869,10 +877,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, |
||||
reg2 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MAX); |
||||
if (reg2 && reg2 != reg1) { |
||||
addr = netlink_get_register(ctx, loc, reg2); |
||||
- if (addr == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "NAT statement has no address " |
||||
- "expression"); |
||||
+ if (addr == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "NAT statement has no address expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
if (family == AF_INET) |
||||
expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN); |
||||
@@ -887,10 +896,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, |
||||
reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MIN); |
||||
if (reg1) { |
||||
proto = netlink_get_register(ctx, loc, reg1); |
||||
- if (proto == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "NAT statement has no proto " |
||||
- "expression"); |
||||
+ if (proto == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "NAT statement has no proto expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); |
||||
stmt->nat.proto = proto; |
||||
@@ -899,10 +909,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, |
||||
reg2 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MAX); |
||||
if (reg2 && reg2 != reg1) { |
||||
proto = netlink_get_register(ctx, loc, reg2); |
||||
- if (proto == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "NAT statement has no proto " |
||||
- "expression"); |
||||
+ if (proto == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "NAT statement has no proto expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); |
||||
if (stmt->nat.proto != NULL) |
||||
@@ -911,6 +922,9 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, |
||||
} |
||||
|
||||
ctx->stmt = stmt; |
||||
+ return; |
||||
+out_err: |
||||
+ xfree(stmt); |
||||
} |
||||
|
||||
static void netlink_parse_masq(struct netlink_parse_ctx *ctx, |
||||
@@ -931,10 +945,11 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx, |
||||
reg1 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN); |
||||
if (reg1) { |
||||
proto = netlink_get_register(ctx, loc, reg1); |
||||
- if (proto == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "MASQUERADE statement" |
||||
- "has no proto expression"); |
||||
+ if (proto == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "MASQUERADE statement has no proto expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); |
||||
stmt->masq.proto = proto; |
||||
} |
||||
@@ -942,10 +957,11 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx, |
||||
reg2 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MAX); |
||||
if (reg2 && reg2 != reg1) { |
||||
proto = netlink_get_register(ctx, loc, reg2); |
||||
- if (proto == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "MASQUERADE statement" |
||||
- "has no proto expression"); |
||||
+ if (proto == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "MASQUERADE statement has no proto expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); |
||||
if (stmt->masq.proto != NULL) |
||||
proto = range_expr_alloc(loc, stmt->masq.proto, proto); |
||||
@@ -953,6 +969,9 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx, |
||||
} |
||||
|
||||
ctx->stmt = stmt; |
||||
+ return; |
||||
+out_err: |
||||
+ xfree(stmt); |
||||
} |
||||
|
||||
static void netlink_parse_redir(struct netlink_parse_ctx *ctx, |
||||
@@ -974,10 +993,11 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx, |
||||
reg1 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MIN); |
||||
if (reg1) { |
||||
proto = netlink_get_register(ctx, loc, reg1); |
||||
- if (proto == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "redirect statement has no proto " |
||||
- "expression"); |
||||
+ if (proto == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "redirect statement has no proto expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); |
||||
stmt->redir.proto = proto; |
||||
@@ -986,10 +1006,11 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx, |
||||
reg2 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MAX); |
||||
if (reg2 && reg2 != reg1) { |
||||
proto = netlink_get_register(ctx, loc, reg2); |
||||
- if (proto == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "redirect statement has no proto " |
||||
- "expression"); |
||||
+ if (proto == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "redirect statement has no proto expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); |
||||
if (stmt->redir.proto != NULL) |
||||
@@ -999,6 +1020,9 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx, |
||||
} |
||||
|
||||
ctx->stmt = stmt; |
||||
+ return; |
||||
+out_err: |
||||
+ xfree(stmt); |
||||
} |
||||
|
||||
static void netlink_parse_dup(struct netlink_parse_ctx *ctx, |
||||
@@ -1014,9 +1038,11 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx, |
||||
reg1 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_ADDR); |
||||
if (reg1) { |
||||
addr = netlink_get_register(ctx, loc, reg1); |
||||
- if (addr == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "DUP statement has no destination expression"); |
||||
+ if (addr == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "DUP statement has no destination expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
switch (ctx->table->handle.family) { |
||||
case NFPROTO_IPV4: |
||||
@@ -1033,9 +1059,11 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx, |
||||
reg2 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_DEV); |
||||
if (reg2) { |
||||
dev = netlink_get_register(ctx, loc, reg2); |
||||
- if (dev == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "DUP statement has no output expression"); |
||||
+ if (dev == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "DUP statement has no output expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN); |
||||
if (stmt->dup.to == NULL) |
||||
@@ -1045,6 +1073,9 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx, |
||||
} |
||||
|
||||
ctx->stmt = stmt; |
||||
+ return; |
||||
+out_err: |
||||
+ xfree(stmt); |
||||
} |
||||
|
||||
static void netlink_parse_fwd(struct netlink_parse_ctx *ctx, |
||||
@@ -1060,15 +1091,20 @@ static void netlink_parse_fwd(struct netlink_parse_ctx *ctx, |
||||
reg1 = netlink_parse_register(nle, NFTNL_EXPR_FWD_SREG_DEV); |
||||
if (reg1) { |
||||
dev = netlink_get_register(ctx, loc, reg1); |
||||
- if (dev == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "fwd statement has no output expression"); |
||||
+ if (dev == NULL) { |
||||
+ netlink_error(ctx, loc, |
||||
+ "fwd statement has no output expression"); |
||||
+ goto out_err; |
||||
+ } |
||||
|
||||
expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN); |
||||
stmt->fwd.to = dev; |
||||
} |
||||
|
||||
ctx->stmt = stmt; |
||||
+ return; |
||||
+out_err: |
||||
+ xfree(stmt); |
||||
} |
||||
|
||||
static void netlink_parse_queue(struct netlink_parse_ctx *ctx, |
||||
@@ -1135,10 +1171,11 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, |
||||
dnle = nftnl_expr_get(nle, NFTNL_EXPR_DYNSET_EXPR, NULL); |
||||
if (dnle != NULL) { |
||||
if (netlink_parse_expr(dnle, ctx) < 0) |
||||
- return; |
||||
- if (ctx->stmt == NULL) |
||||
- return netlink_error(ctx, loc, |
||||
- "Could not parse dynset stmt"); |
||||
+ goto out_err; |
||||
+ if (ctx->stmt == NULL) { |
||||
+ netlink_error(ctx, loc, "Could not parse dynset stmt"); |
||||
+ goto out_err; |
||||
+ } |
||||
dstmt = ctx->stmt; |
||||
} |
||||
|
||||
@@ -1155,6 +1192,9 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, |
||||
} |
||||
|
||||
ctx->stmt = stmt; |
||||
+ return; |
||||
+out_err: |
||||
+ xfree(expr); |
||||
} |
||||
|
||||
static void netlink_parse_objref(struct netlink_parse_ctx *ctx, |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,60 @@
@@ -0,0 +1,60 @@
|
||||
From c2e843f9386bfa01bfbdd2742ce89f6c474ac0ee Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:23:54 +0200 |
||||
Subject: [PATCH] nft.8: Fix reject statement documentation |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571938 |
||||
Upstream Status: nftables commit 9b3036bb9f00d |
||||
|
||||
commit 9b3036bb9f00d6e244ed92e0e782c5617ae40b84 |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Wed Jun 6 10:56:26 2018 +0200 |
||||
|
||||
nft.8: Fix reject statement documentation |
||||
|
||||
First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In |
||||
addition to that, parameter 'type' expects an icmp*_code type, not |
||||
icmp*_type. The respective table column was already correct, but in |
||||
synopsis it was wrong. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
--- |
||||
doc/nft.xml | 10 +++++----- |
||||
1 file changed, 5 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/doc/nft.xml b/doc/nft.xml |
||||
index c7e12c9..3da5fda 100644 |
||||
--- a/doc/nft.xml |
||||
+++ b/doc/nft.xml |
||||
@@ -4472,14 +4472,14 @@ ip6 filter output log flags all |
||||
<arg choice="none">with</arg> |
||||
<group choice="req"> |
||||
<arg>icmp</arg> |
||||
- <arg>icmp6</arg> |
||||
+ <arg>icmpv6</arg> |
||||
<arg>icmpx</arg> |
||||
</group> |
||||
<arg choice="none">type</arg> |
||||
<group choice="req"> |
||||
- <arg>icmp_type</arg> |
||||
- <arg>icmp6_type</arg> |
||||
- <arg>icmpx_type</arg> |
||||
+ <arg>icmp_code</arg> |
||||
+ <arg>icmpv6_code</arg> |
||||
+ <arg>icmpx_code</arg> |
||||
</group> |
||||
</arg> |
||||
</cmdsynopsis> |
||||
@@ -4516,7 +4516,7 @@ ip6 filter output log flags all |
||||
<entry>icmp_code</entry> |
||||
</row> |
||||
<row> |
||||
- <entry>icmp6</entry> |
||||
+ <entry>icmpv6</entry> |
||||
<entry>ip6</entry> |
||||
<entry>icmpv6_code</entry> |
||||
</row> |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,56 @@
@@ -0,0 +1,56 @@
|
||||
From 9abe6ef333d4d1f7c83e10ee73bca70f64b9fdba Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:36:59 +0200 |
||||
Subject: [PATCH] doc: reword insert position, this expects rule handle to |
||||
insert, not a relative postition |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571968 |
||||
Upstream Status: nftables commit 45172efadbede |
||||
Conflicts: Context change due to missing commit f9cb9580b924f |
||||
("doc: nft.8 aim for consistent synopses throughout") |
||||
|
||||
commit 45172efadbedee2b2dedc1e771046cca7edb0111 |
||||
Author: Florian Westphal <fw@strlen.de> |
||||
Date: Tue Apr 24 16:54:52 2018 +0200 |
||||
|
||||
doc: reword insert position, this expects rule handle to insert, not a relative postition |
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
--- |
||||
doc/nft.xml | 6 +++--- |
||||
1 file changed, 3 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/doc/nft.xml b/doc/nft.xml |
||||
index 3da5fda..45a392f 100644 |
||||
--- a/doc/nft.xml |
||||
+++ b/doc/nft.xml |
||||
@@ -835,7 +835,7 @@ filter input iif $int_ifs accept |
||||
<arg choice="opt"><replaceable>family</replaceable></arg> |
||||
<arg choice="req"><replaceable>table</replaceable></arg> |
||||
<arg choice="req"><replaceable>chain</replaceable></arg> |
||||
- <arg choice="opt">position <replaceable>position</replaceable></arg> |
||||
+ <arg choice="opt">position <replaceable>handle</replaceable></arg> |
||||
<arg choice="req" rep="repeat"><replaceable>statement</replaceable></arg> |
||||
</cmdsynopsis> |
||||
<cmdsynopsis> |
||||
@@ -868,7 +868,7 @@ filter input iif $int_ifs accept |
||||
<para> |
||||
Add a new rule described by the list of statements. The rule is appended to the |
||||
given chain unless a position is specified, in which case the rule is appended to |
||||
- the rule given by the position. |
||||
+ the rule given by the handle. |
||||
</para> |
||||
</listitem> |
||||
</varlistentry> |
||||
@@ -877,7 +877,7 @@ filter input iif $int_ifs accept |
||||
<listitem> |
||||
<para> |
||||
Similar to the <command>add</command> command, but the rule is prepended to the |
||||
- beginning of the chain or before the rule at the given position. |
||||
+ beginning of the chain or before the rule with the given handle. |
||||
</para> |
||||
</listitem> |
||||
</varlistentry> |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,92 @@
@@ -0,0 +1,92 @@
|
||||
From 197711f42a7580918c99536ff891eef7dd040c6b Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:37:57 +0200 |
||||
Subject: [PATCH] Deprecate add/insert rule 'position' argument |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571968 |
||||
Upstream Status: nftables commit effb881c9cef2 |
||||
Conflicts: Context change due to missing commit f9cb9580b924f |
||||
("doc: nft.8 aim for consistent synopses throughout") |
||||
|
||||
commit effb881c9cef28aca47adeec5014e0457507539e |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Wed May 9 16:03:40 2018 +0200 |
||||
|
||||
Deprecate add/insert rule 'position' argument |
||||
|
||||
Instead, use 'handle' keyword for the same effect since that is more |
||||
consistent with respect to replace/delete commands. The old keyword is |
||||
still supported for backwards compatibility and also listed in man page |
||||
along with a hint that it shouldn't be used anymore. |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||
--- |
||||
doc/nft.xml | 17 +++++++++++++---- |
||||
src/parser_bison.y | 8 ++++++++ |
||||
2 files changed, 21 insertions(+), 4 deletions(-) |
||||
|
||||
diff --git a/doc/nft.xml b/doc/nft.xml |
||||
index 45a392f..e6cfb78 100644 |
||||
--- a/doc/nft.xml |
||||
+++ b/doc/nft.xml |
||||
@@ -835,7 +835,13 @@ filter input iif $int_ifs accept |
||||
<arg choice="opt"><replaceable>family</replaceable></arg> |
||||
<arg choice="req"><replaceable>table</replaceable></arg> |
||||
<arg choice="req"><replaceable>chain</replaceable></arg> |
||||
- <arg choice="opt">position <replaceable>handle</replaceable></arg> |
||||
+ <arg choice="opt"> |
||||
+ <group choice="req"> |
||||
+ <arg>handle</arg> |
||||
+ <arg>position</arg> |
||||
+ </group> |
||||
+ <replaceable>handle</replaceable> |
||||
+ </arg> |
||||
<arg choice="req" rep="repeat"><replaceable>statement</replaceable></arg> |
||||
</cmdsynopsis> |
||||
<cmdsynopsis> |
||||
@@ -867,8 +873,10 @@ filter input iif $int_ifs accept |
||||
<listitem> |
||||
<para> |
||||
Add a new rule described by the list of statements. The rule is appended to the |
||||
- given chain unless a position is specified, in which case the rule is appended to |
||||
- the rule given by the handle. |
||||
+ given chain unless a <literal>handle</literal> is specified, in which case the |
||||
+ rule is appended to the rule given by the <replaceable>handle</replaceable>. |
||||
+ The alternative name <literal>position</literal> is deprecated and should not be |
||||
+ used anymore. |
||||
</para> |
||||
</listitem> |
||||
</varlistentry> |
||||
@@ -877,7 +885,8 @@ filter input iif $int_ifs accept |
||||
<listitem> |
||||
<para> |
||||
Similar to the <command>add</command> command, but the rule is prepended to the |
||||
- beginning of the chain or before the rule with the given handle. |
||||
+ beginning of the chain or before the rule with the given |
||||
+ <replaceable>handle</replaceable>. |
||||
</para> |
||||
</listitem> |
||||
</varlistentry> |
||||
diff --git a/src/parser_bison.y b/src/parser_bison.y |
||||
index 7016f5b..f9878ba 100644 |
||||
--- a/src/parser_bison.y |
||||
+++ b/src/parser_bison.y |
||||
@@ -1708,6 +1708,14 @@ rule_position : chain_spec |
||||
handle_merge(&$1, &$2); |
||||
$$ = $1; |
||||
} |
||||
+ | chain_spec handle_spec |
||||
+ { |
||||
+ $2.position.location = $2.handle.location; |
||||
+ $2.position.id = $2.handle.id; |
||||
+ $2.handle.id = 0; |
||||
+ handle_merge(&$1, &$2); |
||||
+ $$ = $1; |
||||
+ } |
||||
; |
||||
|
||||
ruleid_spec : chain_spec handle_spec |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,54 @@
@@ -0,0 +1,54 @@
|
||||
From d8f1860f72840104bff3742f477c572b57a9c3c1 Mon Sep 17 00:00:00 2001 |
||||
From: Phil Sutter <psutter@redhat.com> |
||||
Date: Wed, 20 Jun 2018 09:38:55 +0200 |
||||
Subject: [PATCH] evaluate: explicitly deny concatenated types in interval sets |
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1576426 |
||||
Upstream Status: nftables commit 9a3d80172a61e |
||||
|
||||
commit 9a3d80172a61e89c2862bcf41cb58313c236b308 |
||||
Author: Phil Sutter <phil@nwl.cc> |
||||
Date: Wed Jun 6 13:21:49 2018 +0200 |
||||
|
||||
evaluate: explicitly deny concatenated types in interval sets |
||||
|
||||
Previously, this triggered a program abort: |
||||
|
||||
| # nft add table ip t |
||||
| # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ; }' |
||||
| # nft add element ip t my_set '{10.0.0.1 . tcp }' |
||||
| BUG: invalid range expression type concat |
||||
| nft: expression.c:1085: range_expr_value_low: Assertion `0' failed. |
||||
|
||||
With this patch in place, the 'add set' command above gives an error |
||||
message: |
||||
|
||||
| # nft add set ip t my_set3 '{ type ipv4_addr . inet_service ; flags interval ; }' |
||||
| Error: concatenated types not supported in interval sets |
||||
| add set ip t my_set3 { type ipv4_addr . inet_service ; flags interval ; } |
||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||
--- |
||||
src/evaluate.c | 4 ++++ |
||||
1 file changed, 4 insertions(+) |
||||
|
||||
diff --git a/src/evaluate.c b/src/evaluate.c |
||||
index 8552e4a..ab1347f 100644 |
||||
--- a/src/evaluate.c |
||||
+++ b/src/evaluate.c |
||||
@@ -2865,6 +2865,10 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) |
||||
"specified in %s definition", |
||||
set->key->dtype->name, type); |
||||
} |
||||
+ if (set->flags & NFT_SET_INTERVAL && |
||||
+ set->key->ops->type == EXPR_CONCAT) |
||||
+ return set_error(ctx, set, "concatenated types not supported in interval sets"); |
||||
+ |
||||
if (set->flags & NFT_SET_MAP) { |
||||
if (set->datatype == NULL) |
||||
return set_error(ctx, set, "map definition does not " |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,6 @@
@@ -0,0 +1,6 @@
|
||||
# |
||||
# This this will contain your nftables rules and |
||||
# is read by the systemd service when restarting |
||||
# |
||||
# These provide an iptables like set of filters |
||||
# (uncomment to include) |
@ -0,0 +1,17 @@
@@ -0,0 +1,17 @@
|
||||
[Unit] |
||||
Description=Netfilter Tables |
||||
Documentation=man:nft(8) |
||||
Wants=network-pre.target |
||||
Before=network-pre.target |
||||
|
||||
[Service] |
||||
Type=oneshot |
||||
ProtectSystem=full |
||||
ProtectHome=true |
||||
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf |
||||
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' |
||||
ExecStop=/sbin/nft flush ruleset |
||||
RemainAfterExit=yes |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,155 @@
@@ -0,0 +1,155 @@
|
||||
%define rpmversion 0.8 |
||||
%define specrelease 10%{?dist} |
||||
%define libnftnlversion 1.0.8-1 |
||||
|
||||
Name: nftables |
||||
Version: %{rpmversion} |
||||
Release: %{specrelease} |
||||
Epoch: 1 |
||||
Summary: Netfilter Tables userspace utillites |
||||
License: GPLv2 |
||||
URL: http://netfilter.org/projects/nftables/ |
||||
Source0: http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz2 |
||||
Source1: nftables.service |
||||
Source2: nftables.conf |
||||
Source3: nft.8 |
||||
BuildRequires: flex |
||||
BuildRequires: bison |
||||
BuildRequires: libmnl-devel |
||||
BuildRequires: gmp-devel |
||||
BuildRequires: readline-devel |
||||
BuildRequires: libnftnl-devel >= %{libnftnlversion} |
||||
# docbook2X is available in EPEL repo only, which is not included in Brew |
||||
#BuildRequires: docbook2X |
||||
#BuildRequires: docbook-dtds |
||||
BuildRequires: systemd |
||||
Patch0: 0001-src-fix-protocol-context-update-on-big-endian-system.patch |
||||
Patch1: 0002-netlink_linearize-exthdr-op-must-be-u32.patch |
||||
Patch2: 0003-src-avoid-errouneous-assert-with-map-concat.patch |
||||
Patch3: 0004-Review-switch-statements-for-unmarked-fall-through-c.patch |
||||
Patch4: 0005-monitor-Make-trace-events-respect-output_fp.patch |
||||
Patch5: 0006-monitor-Make-JSON-XML-output-respect-output_fp.patch |
||||
Patch6: 0007-cli-Drop-pointless-check-in-cli_append_multiline.patch |
||||
Patch7: 0008-erec-Avoid-passing-negative-offset-to-fseek.patch |
||||
Patch8: 0009-evaluate-Fix-memleak-in-stmt_reject_gen_dependency.patch |
||||
Patch9: 0010-hash-Fix-potential-null-pointer-dereference-in-hash_.patch |
||||
Patch10: 0011-netlink-Complain-if-setting-O_NONBLOCK-fails.patch |
||||
Patch11: 0012-netlink_delinearize-Fix-resource-leaks.patch |
||||
Patch12: 0013-nft.8-Fix-reject-statement-documentation.patch |
||||
Patch13: 0014-doc-reword-insert-position-this-expects-rule-handle-.patch |
||||
Patch14: 0015-Deprecate-add-insert-rule-position-argument.patch |
||||
Patch15: 0016-evaluate-explicitly-deny-concatenated-types-in-inter.patch |
||||
|
||||
%description |
||||
Netfilter Tables userspace utilities. |
||||
|
||||
%prep |
||||
%autosetup -p1 |
||||
|
||||
%build |
||||
%configure --disable-silent-rules DOCBOOK2X_MAN="no" DOCBOOK2MAN="no" DB2X_DOCBOOK2MAN="no" |
||||
make %{?_smp_mflags} |
||||
|
||||
%install |
||||
%make_install |
||||
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' |
||||
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8 |
||||
cp -a %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8/ |
||||
chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* |
||||
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_unitdir} |
||||
cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ |
||||
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig |
||||
cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ |
||||
for f in $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*; do |
||||
echo "# include \"%{_sysconfdir}/nftables/$(basename $f)\"" |
||||
done >> $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf |
||||
chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf |
||||
chmod 750 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ |
||||
chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/* |
||||
|
||||
%post |
||||
%systemd_post nftables.service |
||||
|
||||
%preun |
||||
%systemd_preun nftables.service |
||||
|
||||
%postun |
||||
%systemd_postun_with_restart nftables.service |
||||
|
||||
%files |
||||
%doc COPYING TODO |
||||
%config(noreplace) %{_sysconfdir}/nftables/ |
||||
%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf |
||||
%{_sbindir}/nft |
||||
%{_mandir}/man8/nft* |
||||
%{_unitdir}/nftables.service |
||||
|
||||
%changelog |
||||
* Wed Jun 20 2018 Phil Sutter <psutter@redhat.com> [0.8-10.el7] |
||||
- Bump epoch to allow upgrading from EPEL (Phil Sutter) [1575059] |
||||
|
||||
* Wed Jun 20 2018 Phil Sutter <psutter@redhat.com> [0.8-9.el7] |
||||
- evaluate: explicitly deny concatenated types in interval sets (Phil Sutter) [1576426] |
||||
- Deprecate add/insert rule 'position' argument (Phil Sutter) [1571968] |
||||
- doc: reword insert position, this expects rule handle to insert, not a relative postition (Phil Sutter) [1571968] |
||||
- nft.8: Fix reject statement documentation (Phil Sutter) [1571938] |
||||
- netlink_delinearize: Fix resource leaks (Phil Sutter) [1504157] |
||||
- netlink: Complain if setting O_NONBLOCK fails (Phil Sutter) [1504157] |
||||
- hash: Fix potential null-pointer dereference in hash_expr_cmp() (Phil Sutter) [1504157] |
||||
- evaluate: Fix memleak in stmt_reject_gen_dependency() (Phil Sutter) [1504157] |
||||
- erec: Avoid passing negative offset to fseek() (Phil Sutter) [1504157] |
||||
- cli: Drop pointless check in cli_append_multiline() (Phil Sutter) [1504157] |
||||
- monitor: Make JSON/XML output respect output_fp (Phil Sutter) [1504157] |
||||
- monitor: Make trace events respect output_fp (Phil Sutter) [1504157] |
||||
- Review switch statements for unmarked fall through cases (Phil Sutter) [1504157] |
||||
|
||||
* Wed Jun 06 2018 Phil Sutter <psutter@redhat.com> [0.8-8.el7] |
||||
- src: avoid errouneous assert with map+concat (Phil Sutter) [1540917] |
||||
|
||||
* Mon Dec 18 2017 Phil Sutter <psutter@redhat.com> [0.8-7.el7] |
||||
- A proper fix for incompatible docbook2man (Phil Sutter) [1523239] |
||||
|
||||
* Thu Dec 14 2017 Phil Sutter <psutter@redhat.com> [0.8-6.el7] |
||||
- netlink_linearize: exthdr op must be u32 (Phil Sutter) [1524246] |
||||
- src: fix protocol context update on big-endian systems (Phil Sutter) [1523016] |
||||
|
||||
* Fri Dec 08 2017 Phil Sutter <psutter@redhat.com> [0.8-5.el7] |
||||
- Prevent build failure due to incompatible docbook2man (Phil Sutter) [1523239] |
||||
|
||||
* Sat Oct 14 2017 Phil Sutter <psutter@redhat.com> [0.8-4.el7] |
||||
- Update /etc/sysconfig/nftables.conf with new config samples (Phil Sutter) [1472261] |
||||
|
||||
* Fri Oct 13 2017 Phil Sutter <psutter@redhat.com> [0.8-3.el7] |
||||
- Fix typo in spec file (Phil Sutter) [1451404] |
||||
|
||||
* Fri Oct 13 2017 Phil Sutter <psutter@redhat.com> [0.8-2.el7] |
||||
- Fix permissions of installed config files (Phil Sutter) [1451404] |
||||
|
||||
* Fri Oct 13 2017 Phil Sutter <psutter@redhat.com> [0.8-1.el7] |
||||
- Rebase onto upstream version 0.8 (Phil Sutter) [1472261] |
||||
|
||||
* Fri May 12 2017 Phil Sutter <psutter@redhat.com> [0.6-4.el7] |
||||
- evaluate: Avoid undefined behaviour in concat_subtype_id() (Phil Sutter) [1360789] |
||||
- src: Interpret OP_NEQ against a set as OP_LOOKUP (Phil Sutter) [1440011] |
||||
- include: refresh uapi/linux/netfilter/nf_tables.h copy (Phil Sutter) [1440011] |
||||
- datatype: time_type should send milliseconds to userspace (Phil Sutter) [1427114] |
||||
- meta: fix memory leak in tc classid parser (Phil Sutter) [1380326] |
||||
- src: meta priority support using tc classid (Phil Sutter) [1380326] |
||||
- src: simplify classid printing using x instead of 04x (Phil Sutter) [1380326] |
||||
- src: rename datatype name from tc_handle to classid (Phil Sutter) [1380326] |
||||
- payload: don't update protocol context if we can't find a description (Timothy Redaelli) [1446534 1399764] |
||||
- evaluate: reject: Have a generic fix for missing network context (Timothy Redaelli) [1360354] |
||||
|
||||
* Mon Mar 06 2017 Phil Sutter <psutter@redhat.com> [0.6-3.el7] |
||||
- nftables.spec: Require at least libnftnl-1.0.6-4 (Phil Sutter) [1358705] |
||||
- evaluate: Fix datalen checks in expr_evaluate_string() (Phil Sutter) [1360240] |
||||
- netlink_delinearize: Avoid potential null pointer deref (Timothy Redaelli) [1360257] |
||||
- src: use new range expression for != [a,b] intervals (Phil Sutter) [1358705] |
||||
|
||||
* Tue Jul 19 2016 Phil Sutter <psutter@redhat.com> 0.6-2 |
||||
- Add pre-generated nft.8 to overcome missing docbook2X package. |
||||
|
||||
* Wed Jun 29 2016 Phil Sutter <psutter@redhat.com> 0.6-1 |
||||
- Rebased from Fedora Rawhide and adjusted for RHEL review. |
Loading…
Reference in new issue