diff --git a/.gitignore b/.gitignore index ebc317f..ccc74cf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libnftnl-1.0.6.tar.bz2 +SOURCES/libnftnl-1.0.6.tar.xz diff --git a/.libnftnl.metadata b/.libnftnl.metadata index 0758752..c439cc2 100644 --- a/.libnftnl.metadata +++ b/.libnftnl.metadata @@ -1 +1 @@ -453f1c2d99d219baeca4ba42aa874f02d2ddf2f7 SOURCES/libnftnl-1.0.6.tar.bz2 +947d9ed587b8a4cd3883721a2878ade962ce6dad SOURCES/libnftnl-1.0.6.tar.xz diff --git a/SOURCES/0001-src-add-range-expression.patch b/SOURCES/0001-src-add-range-expression.patch new file mode 100644 index 0000000..48c6c0f --- /dev/null +++ b/SOURCES/0001-src-add-range-expression.patch @@ -0,0 +1,569 @@ +From 41e4687e83c8eba29b5cf7cbbea74fab56835468 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 23 Feb 2017 17:07:00 +0100 +Subject: [PATCH] src: add range expression + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1418967 +Upstream Status: unknown commit 200da4866ada0 +Conflicts: Context changes due to missing other features. + +commit 200da4866ada06b2ee0f708c93dbdf9dcd0fcfe4 +Author: Pablo Neira Ayuso +Date: Tue Sep 20 17:53:21 2016 +0200 + + src: add range expression + + Add range expression available that is scheduled for linux kernel 4.9. + This range expression allows us to check if a given value placed in a + register is within/outside a specified interval. + + Signed-off-by: Pablo Neira Ayuso +--- + include/libnftnl/expr.h | 7 + + include/linux/netfilter/nf_tables.h | 29 ++++ + src/Makefile.am | 1 + + src/expr/range.c | 288 ++++++++++++++++++++++++++++++++++++ + src/expr_ops.c | 2 + + tests/Makefile.am | 4 + + tests/nft-expr_range-test.c | 109 ++++++++++++++ + tests/test-script.sh | 1 + + 8 files changed, 441 insertions(+) + create mode 100644 src/expr/range.c + create mode 100644 tests/nft-expr_range-test.c + +diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h +index f192103..5822a9e 100644 +--- a/include/libnftnl/expr.h ++++ b/include/libnftnl/expr.h +@@ -61,6 +61,13 @@ enum { + }; + + enum { ++ NFTNL_EXPR_RANGE_SREG = NFTNL_EXPR_BASE, ++ NFTNL_EXPR_RANGE_OP, ++ NFTNL_EXPR_RANGE_FROM_DATA, ++ NFTNL_EXPR_RANGE_TO_DATA, ++}; ++ ++enum { + NFTNL_EXPR_IMM_DREG = NFTNL_EXPR_BASE, + NFTNL_EXPR_IMM_DATA, + NFTNL_EXPR_IMM_VERDICT, +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index 6a4dbe0..3b7b7f3 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -547,6 +547,35 @@ enum nft_cmp_attributes { + #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) + + /** ++ * enum nft_range_ops - nf_tables range operator ++ * ++ * @NFT_RANGE_EQ: equal ++ * @NFT_RANGE_NEQ: not equal ++ */ ++enum nft_range_ops { ++ NFT_RANGE_EQ, ++ NFT_RANGE_NEQ, ++}; ++ ++/** ++ * enum nft_range_attributes - nf_tables range expression netlink attributes ++ * ++ * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers) ++ * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops) ++ * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes) ++ * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes) ++ */ ++enum nft_range_attributes { ++ NFTA_RANGE_UNSPEC, ++ NFTA_RANGE_SREG, ++ NFTA_RANGE_OP, ++ NFTA_RANGE_FROM_DATA, ++ NFTA_RANGE_TO_DATA, ++ __NFTA_RANGE_MAX ++}; ++#define NFTA_RANGE_MAX (__NFTA_RANGE_MAX - 1) ++ ++/** + * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes + * + * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING) +diff --git a/src/Makefile.am b/src/Makefile.am +index 7e580e4..6378815 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -25,6 +25,7 @@ libnftnl_la_SOURCES = utils.c \ + expr/bitwise.c \ + expr/byteorder.c \ + expr/cmp.c \ ++ expr/range.c \ + expr/counter.c \ + expr/ct.c \ + expr/data_reg.c \ +diff --git a/src/expr/range.c b/src/expr/range.c +new file mode 100644 +index 0000000..1489d58 +--- /dev/null ++++ b/src/expr/range.c +@@ -0,0 +1,288 @@ ++/* ++ * (C) 2016 by Pablo Neira Ayuso ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published ++ * by the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ */ ++ ++#include "internal.h" ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++struct nftnl_expr_range { ++ union nftnl_data_reg data_from; ++ union nftnl_data_reg data_to; ++ enum nft_registers sreg; ++ enum nft_range_ops op; ++}; ++ ++static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type, ++ const void *data, uint32_t data_len) ++{ ++ struct nftnl_expr_range *range = nftnl_expr_data(e); ++ ++ switch(type) { ++ case NFTNL_EXPR_RANGE_SREG: ++ range->sreg = *((uint32_t *)data); ++ break; ++ case NFTNL_EXPR_RANGE_OP: ++ range->op = *((uint32_t *)data); ++ break; ++ case NFTNL_EXPR_RANGE_FROM_DATA: ++ memcpy(&range->data_from.val, data, data_len); ++ range->data_from.len = data_len; ++ break; ++ case NFTNL_EXPR_RANGE_TO_DATA: ++ memcpy(&range->data_to.val, data, data_len); ++ range->data_to.len = data_len; ++ break; ++ default: ++ return -1; ++ } ++ return 0; ++} ++ ++static const void *nftnl_expr_range_get(const struct nftnl_expr *e, ++ uint16_t type, uint32_t *data_len) ++{ ++ struct nftnl_expr_range *range = nftnl_expr_data(e); ++ ++ switch(type) { ++ case NFTNL_EXPR_RANGE_SREG: ++ *data_len = sizeof(range->sreg); ++ return &range->sreg; ++ case NFTNL_EXPR_RANGE_OP: ++ *data_len = sizeof(range->op); ++ return &range->op; ++ case NFTNL_EXPR_RANGE_FROM_DATA: ++ *data_len = range->data_from.len; ++ return &range->data_from.val; ++ case NFTNL_EXPR_RANGE_TO_DATA: ++ *data_len = range->data_to.len; ++ return &range->data_to.val; ++ } ++ return NULL; ++} ++ ++static int nftnl_expr_range_cb(const struct nlattr *attr, void *data) ++{ ++ const struct nlattr **tb = data; ++ int type = mnl_attr_get_type(attr); ++ ++ if (mnl_attr_type_valid(attr, NFTA_RANGE_MAX) < 0) ++ return MNL_CB_OK; ++ ++ switch(type) { ++ case NFTA_RANGE_SREG: ++ case NFTA_RANGE_OP: ++ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) ++ abi_breakage(); ++ break; ++ case NFTA_RANGE_FROM_DATA: ++ case NFTA_RANGE_TO_DATA: ++ if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0) ++ abi_breakage(); ++ break; ++ } ++ ++ tb[type] = attr; ++ return MNL_CB_OK; ++} ++ ++static void ++nftnl_expr_range_build(struct nlmsghdr *nlh, const struct nftnl_expr *e) ++{ ++ struct nftnl_expr_range *range = nftnl_expr_data(e); ++ ++ if (e->flags & (1 << NFTNL_EXPR_RANGE_SREG)) ++ mnl_attr_put_u32(nlh, NFTA_RANGE_SREG, htonl(range->sreg)); ++ if (e->flags & (1 << NFTNL_EXPR_RANGE_OP)) ++ mnl_attr_put_u32(nlh, NFTA_RANGE_OP, htonl(range->op)); ++ if (e->flags & (1 << NFTNL_EXPR_RANGE_FROM_DATA)) { ++ struct nlattr *nest; ++ ++ nest = mnl_attr_nest_start(nlh, NFTA_RANGE_FROM_DATA); ++ mnl_attr_put(nlh, NFTA_DATA_VALUE, range->data_from.len, ++ range->data_from.val); ++ mnl_attr_nest_end(nlh, nest); ++ } ++ if (e->flags & (1 << NFTNL_EXPR_RANGE_TO_DATA)) { ++ struct nlattr *nest; ++ ++ nest = mnl_attr_nest_start(nlh, NFTA_RANGE_TO_DATA); ++ mnl_attr_put(nlh, NFTA_DATA_VALUE, range->data_to.len, ++ range->data_to.val); ++ mnl_attr_nest_end(nlh, nest); ++ } ++} ++ ++static int ++nftnl_expr_range_parse(struct nftnl_expr *e, struct nlattr *attr) ++{ ++ struct nftnl_expr_range *range = nftnl_expr_data(e); ++ struct nlattr *tb[NFTA_RANGE_MAX+1] = {}; ++ int ret = 0; ++ ++ if (mnl_attr_parse_nested(attr, nftnl_expr_range_cb, tb) < 0) ++ return -1; ++ ++ if (tb[NFTA_RANGE_SREG]) { ++ range->sreg = ntohl(mnl_attr_get_u32(tb[NFTA_RANGE_SREG])); ++ e->flags |= (1 << NFTA_RANGE_SREG); ++ } ++ if (tb[NFTA_RANGE_OP]) { ++ range->op = ntohl(mnl_attr_get_u32(tb[NFTA_RANGE_OP])); ++ e->flags |= (1 << NFTA_RANGE_OP); ++ } ++ if (tb[NFTA_RANGE_FROM_DATA]) { ++ ret = nftnl_parse_data(&range->data_from, ++ tb[NFTA_RANGE_FROM_DATA], NULL); ++ e->flags |= (1 << NFTA_RANGE_FROM_DATA); ++ } ++ if (tb[NFTA_RANGE_TO_DATA]) { ++ ret = nftnl_parse_data(&range->data_to, ++ tb[NFTA_RANGE_TO_DATA], NULL); ++ e->flags |= (1 << NFTA_RANGE_TO_DATA); ++ } ++ ++ return ret; ++} ++ ++static char *expr_range_str[] = { ++ [NFT_RANGE_EQ] = "eq", ++ [NFT_RANGE_NEQ] = "neq", ++}; ++ ++static const char *range2str(uint32_t op) ++{ ++ if (op > NFT_RANGE_NEQ) ++ return "unknown"; ++ ++ return expr_range_str[op]; ++} ++ ++static inline int nftnl_str2range(const char *op) ++{ ++ if (strcmp(op, "eq") == 0) ++ return NFT_RANGE_EQ; ++ else if (strcmp(op, "neq") == 0) ++ return NFT_RANGE_NEQ; ++ else { ++ errno = EINVAL; ++ return -1; ++ } ++} ++ ++static int nftnl_expr_range_json_parse(struct nftnl_expr *e, json_t *root, ++ struct nftnl_parse_err *err) ++{ ++#ifdef JSON_PARSING ++ struct nftnl_expr_range *range = nftnl_expr_data(e); ++ const char *op; ++ uint32_t uval32; ++ int base; ++ ++ if (nftnl_jansson_parse_val(root, "sreg", NFTNL_TYPE_U32, &uval32, ++ err) == 0) ++ nftnl_expr_set_u32(e, NFTNL_EXPR_RANGE_SREG, uval32); ++ ++ op = nftnl_jansson_parse_str(root, "op", err); ++ if (op != NULL) { ++ base = nftnl_str2range(op); ++ if (base < 0) ++ return -1; ++ ++ nftnl_expr_set_u32(e, NFTNL_EXPR_RANGE_OP, base); ++ } ++ ++ if (nftnl_jansson_data_reg_parse(root, "data_from", ++ &range->data_from, err) == DATA_VALUE) ++ e->flags |= (1 << NFTNL_EXPR_RANGE_FROM_DATA); ++ ++ if (nftnl_jansson_data_reg_parse(root, "data_to", ++ &range->data_to, err) == DATA_VALUE) ++ e->flags |= (1 << NFTNL_EXPR_RANGE_TO_DATA); ++ ++ return 0; ++#else ++ errno = EOPNOTSUPP; ++ return -1; ++#endif ++} ++ ++static int nftnl_expr_range_export(char *buf, size_t size, ++ const struct nftnl_expr *e, int type) ++{ ++ struct nftnl_expr_range *range = nftnl_expr_data(e); ++ NFTNL_BUF_INIT(b, buf, size); ++ ++ if (e->flags & (1 << NFTNL_EXPR_RANGE_SREG)) ++ nftnl_buf_u32(&b, type, range->sreg, SREG); ++ if (e->flags & (1 << NFTNL_EXPR_RANGE_OP)) ++ nftnl_buf_str(&b, type, range2str(range->op), OP); ++ if (e->flags & (1 << NFTNL_EXPR_RANGE_FROM_DATA)) ++ nftnl_buf_reg(&b, type, &range->data_from, DATA_VALUE, DATA); ++ if (e->flags & (1 << NFTNL_EXPR_RANGE_TO_DATA)) ++ nftnl_buf_reg(&b, type, &range->data_to, DATA_VALUE, DATA); ++ ++ return nftnl_buf_done(&b); ++} ++ ++static int nftnl_expr_range_snprintf_default(char *buf, size_t size, ++ const struct nftnl_expr *e) ++{ ++ struct nftnl_expr_range *range = nftnl_expr_data(e); ++ int len = size, offset = 0, ret; ++ ++ ret = snprintf(buf, len, "%s reg %u ", ++ expr_range_str[range->op], range->sreg); ++ SNPRINTF_BUFFER_SIZE(ret, size, len, offset); ++ ++ ret = nftnl_data_reg_snprintf(buf + offset, len, &range->data_from, ++ NFTNL_OUTPUT_DEFAULT, 0, DATA_VALUE); ++ SNPRINTF_BUFFER_SIZE(ret, size, len, offset); ++ ++ ret = nftnl_data_reg_snprintf(buf + offset, len, &range->data_to, ++ NFTNL_OUTPUT_DEFAULT, 0, DATA_VALUE); ++ SNPRINTF_BUFFER_SIZE(ret, size, len, offset); ++ ++ return offset; ++} ++ ++static int nftnl_expr_range_snprintf(char *buf, size_t size, uint32_t type, ++ uint32_t flags, const struct nftnl_expr *e) ++{ ++ switch (type) { ++ case NFTNL_OUTPUT_DEFAULT: ++ return nftnl_expr_range_snprintf_default(buf, size, e); ++ case NFTNL_OUTPUT_XML: ++ case NFTNL_OUTPUT_JSON: ++ return nftnl_expr_range_export(buf, size, e, type); ++ default: ++ break; ++ } ++ return -1; ++} ++ ++struct expr_ops expr_ops_range = { ++ .name = "range", ++ .alloc_len = sizeof(struct nftnl_expr_range), ++ .max_attr = NFTA_RANGE_MAX, ++ .set = nftnl_expr_range_set, ++ .get = nftnl_expr_range_get, ++ .parse = nftnl_expr_range_parse, ++ .build = nftnl_expr_range_build, ++ .snprintf = nftnl_expr_range_snprintf, ++ .json_parse = nftnl_expr_range_json_parse, ++}; +diff --git a/src/expr_ops.c b/src/expr_ops.c +index ae515af..80d9f4c 100644 +--- a/src/expr_ops.c ++++ b/src/expr_ops.c +@@ -21,6 +21,7 @@ extern struct expr_ops expr_ops_match; + extern struct expr_ops expr_ops_meta; + extern struct expr_ops expr_ops_nat; + extern struct expr_ops expr_ops_payload; ++extern struct expr_ops expr_ops_range; + extern struct expr_ops expr_ops_redir; + extern struct expr_ops expr_ops_reject; + extern struct expr_ops expr_ops_queue; +@@ -45,6 +46,7 @@ static struct expr_ops *expr_ops[] = { + &expr_ops_meta, + &expr_ops_nat, + &expr_ops_payload, ++ &expr_ops_range, + &expr_ops_redir, + &expr_ops_reject, + &expr_ops_queue, +diff --git a/tests/Makefile.am b/tests/Makefile.am +index c246034..673c4a7 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -27,6 +27,7 @@ check_PROGRAMS = nft-parsing-test \ + nft-expr_nat-test \ + nft-expr_payload-test \ + nft-expr_queue-test \ ++ nft-expr_range-test \ + nft-expr_redir-test \ + nft-expr_reject-test \ + nft-expr_target-test +@@ -100,6 +101,9 @@ nft_expr_payload_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + nft_expr_queue_test_SOURCES = nft-expr_queue-test.c + nft_expr_queue_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + ++nft_expr_range_test_SOURCES = nft-expr_range-test.c ++nft_expr_range_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} ++ + nft_expr_reject_test_SOURCES = nft-expr_reject-test.c + nft_expr_reject_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +diff --git a/tests/nft-expr_range-test.c b/tests/nft-expr_range-test.c +new file mode 100644 +index 0000000..b92dfc0 +--- /dev/null ++++ b/tests/nft-expr_range-test.c +@@ -0,0 +1,109 @@ ++/* ++ * (C) 2013 by Ana Rey Botello ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int test_ok = 1; ++ ++static void print_err(const char *msg) ++{ ++ test_ok = 0; ++ printf("\033[31mERROR:\e[0m %s\n", msg); ++} ++ ++static void range_nftnl_expr(struct nftnl_expr *rule_a, ++ struct nftnl_expr *rule_b) ++{ ++ uint32_t data_a, data_b; ++ ++ nftnl_expr_get(rule_a, NFTNL_EXPR_RANGE_FROM_DATA, &data_a); ++ nftnl_expr_get(rule_b, NFTNL_EXPR_RANGE_FROM_DATA, &data_b); ++ if (data_a != data_b) ++ print_err("Size of NFTNL_EXPR_RANGE_FROM_DATA mismatches"); ++ nftnl_expr_get(rule_a, NFTNL_EXPR_RANGE_TO_DATA, &data_a); ++ nftnl_expr_get(rule_b, NFTNL_EXPR_RANGE_TO_DATA, &data_b); ++ if (data_a != data_b) ++ print_err("Size of NFTNL_EXPR_RANGE_TO_DATA mismatches"); ++ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_RANGE_SREG) != ++ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_RANGE_SREG)) ++ print_err("Expr NFTNL_EXPR_RANGE_SREG mismatches"); ++ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_RANGE_OP) != ++ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_RANGE_OP)) ++ print_err("Expr NFTNL_EXPR_RANGE_OP mismatches"); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ struct nftnl_rule *a, *b; ++ struct nftnl_expr *ex; ++ struct nlmsghdr *nlh; ++ char buf[4096]; ++ struct nftnl_expr_iter *iter_a, *iter_b; ++ struct nftnl_expr *rule_a, *rule_b; ++ uint32_t data_a = 0x01010101, data_b = 0x02020202; ++ ++ a = nftnl_rule_alloc(); ++ b = nftnl_rule_alloc(); ++ if (a == NULL || b == NULL) ++ print_err("OOM"); ++ ex = nftnl_expr_alloc("range"); ++ if (ex == NULL) ++ print_err("OOM"); ++ ++ nftnl_expr_set(ex, NFTNL_EXPR_RANGE_FROM_DATA, ++ &data_a, sizeof(data_a)); ++ nftnl_expr_set(ex, NFTNL_EXPR_RANGE_TO_DATA, ++ &data_b, sizeof(data_b)); ++ nftnl_expr_set_u32(ex, NFTNL_EXPR_RANGE_SREG, 0x12345678); ++ nftnl_expr_set_u32(ex, NFTNL_EXPR_RANGE_OP, 0x78123456); ++ ++ nftnl_rule_add_expr(a, ex); ++ ++ nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); ++ nftnl_rule_nlmsg_build_payload(nlh, a); ++ ++ if (nftnl_rule_nlmsg_parse(nlh, b) < 0) ++ print_err("parsing problems"); ++ ++ iter_a = nftnl_expr_iter_create(a); ++ iter_b = nftnl_expr_iter_create(b); ++ if (iter_a == NULL || iter_b == NULL) ++ print_err("OOM"); ++ rule_a = nftnl_expr_iter_next(iter_a); ++ rule_b = nftnl_expr_iter_next(iter_b); ++ if (rule_a == NULL || rule_b == NULL) ++ print_err("OOM"); ++ ++ range_nftnl_expr(rule_a, rule_b); ++ ++ if (nftnl_expr_iter_next(iter_a) != NULL || ++ nftnl_expr_iter_next(iter_b) != NULL) ++ print_err("More 1 expr."); ++ ++ nftnl_expr_iter_destroy(iter_a); ++ nftnl_expr_iter_destroy(iter_b); ++ nftnl_rule_free(a); ++ nftnl_rule_free(b); ++ ++ if (!test_ok) ++ exit(EXIT_FAILURE); ++ ++ printf("%s: \033[32mOK\e[0m\n", argv[0]); ++ return EXIT_SUCCESS; ++} +diff --git a/tests/test-script.sh b/tests/test-script.sh +index b040158..f4e1b7a 100755 +--- a/tests/test-script.sh ++++ b/tests/test-script.sh +@@ -12,6 +12,7 @@ + ./nft-expr_match-test + ./nft-expr_masq-test + ./nft-expr_meta-test ++./nft-expr_range-test + ./nft-expr_redir-test + ./nft-expr_nat-test + ./nft-expr_payload-test +-- +1.8.3.1 + diff --git a/SOURCES/0002-tests-stricter-string-attribute-validation.patch b/SOURCES/0002-tests-stricter-string-attribute-validation.patch new file mode 100644 index 0000000..da8a9b8 --- /dev/null +++ b/SOURCES/0002-tests-stricter-string-attribute-validation.patch @@ -0,0 +1,50 @@ +From 7c8016f4afb2c4ec5c717b1c830c655318a0c561 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 12:51:22 +0200 +Subject: [PATCH] tests: stricter string attribute validation + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1441084 +Upstream Status: libnftnl commit 57468cfa7916a + +commit 57468cfa7916aa6e21c977d1ddb6d0a0ad27edf7 +Author: Pablo Neira Ayuso +Date: Wed Jun 15 13:41:06 2016 +0200 + + tests: stricter string attribute validation + + In nft-expr_lookup-test.c, check for the strings instead of size. + + Signed-off-by: Pablo Neira Ayuso +--- + tests/nft-expr_lookup-test.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/tests/nft-expr_lookup-test.c b/tests/nft-expr_lookup-test.c +index ad028e9..2ca431b 100644 +--- a/tests/nft-expr_lookup-test.c ++++ b/tests/nft-expr_lookup-test.c +@@ -30,18 +30,15 @@ static void print_err(const char *msg) + static void cmp_nftnl_expr(struct nftnl_expr *rule_a, + struct nftnl_expr *rule_b) + { +- uint32_t data_lena, data_lenb; +- + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_SREG) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_SREG)) + print_err("Expr NFTNL_EXPR_LOOkUP_SREG mismatches"); + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_DREG) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_DREG)) + print_err("Expr NFTNL_EXPR_LOOkUP_DREG mismatches"); +- nftnl_expr_get(rule_a, NFTNL_EXPR_LOOKUP_SET, &data_lena); +- nftnl_expr_get(rule_b, NFTNL_EXPR_LOOKUP_SET, &data_lenb); +- if (data_lena != data_lenb) +- print_err("Expr NFTNL_EXPR_LOOKUP_SET size mismatches"); ++ if (strcmp(nftnl_expr_get_str(rule_a, NFTNL_EXPR_LOOKUP_SET), ++ nftnl_expr_get_str(rule_b, NFTNL_EXPR_LOOKUP_SET))) ++ print_err("Expr NFTNL_EXPR_LOOKUP_SET mismatches"); + } + + int main(int argc, char *argv[]) +-- +1.8.3.1 + diff --git a/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch b/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch new file mode 100644 index 0000000..3b681b9 --- /dev/null +++ b/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch @@ -0,0 +1,219 @@ +From 56dfbd950f20ece8193239d92e8f58fb3a48a3a9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 May 2017 12:51:22 +0200 +Subject: [PATCH] expr: lookup: give support for inverted matching + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1441084 +Upstream Status: libnftnl commit 5ad0e626492e8 + +commit 5ad0e626492e835fff65369c93d1e571013129e9 +Author: Arturo Borrero +Date: Fri Jun 24 09:07:02 2016 +0200 + + expr: lookup: give support for inverted matching + + Inverted matching support was included in the kernel, let's give support here + as well. + + Signed-off-by: Arturo Borrero Gonzalez + Signed-off-by: Pablo Neira Ayuso +--- + include/libnftnl/expr.h | 1 + + include/linux/netfilter/nf_tables.h | 6 ++++++ + src/expr/lookup.c | 32 +++++++++++++++++++++++++++++--- + tests/nft-expr_lookup-test.c | 4 ++++ + 4 files changed, 40 insertions(+), 3 deletions(-) + +diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h +index 5822a9e..b644264 100644 +--- a/include/libnftnl/expr.h ++++ b/include/libnftnl/expr.h +@@ -114,6 +114,7 @@ enum { + NFTNL_EXPR_LOOKUP_DREG, + NFTNL_EXPR_LOOKUP_SET, + NFTNL_EXPR_LOOKUP_SET_ID, ++ NFTNL_EXPR_LOOKUP_FLAGS, + }; + + enum { +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index 3b7b7f3..b35a86f 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -546,6 +546,10 @@ enum nft_cmp_attributes { + }; + #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) + ++enum nft_lookup_flags { ++ NFT_LOOKUP_F_INV = (1 << 0), ++}; ++ + /** + * enum nft_range_ops - nf_tables range operator + * +@@ -582,6 +586,7 @@ enum nft_range_attributes { + * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers) + * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32) ++ * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags) + */ + enum nft_lookup_attributes { + NFTA_LOOKUP_UNSPEC, +@@ -589,6 +594,7 @@ enum nft_lookup_attributes { + NFTA_LOOKUP_SREG, + NFTA_LOOKUP_DREG, + NFTA_LOOKUP_SET_ID, ++ NFTA_LOOKUP_FLAGS, + __NFTA_LOOKUP_MAX + }; + #define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1) +diff --git a/src/expr/lookup.c b/src/expr/lookup.c +index ed32ba6..59a3c5c 100644 +--- a/src/expr/lookup.c ++++ b/src/expr/lookup.c +@@ -26,6 +26,7 @@ struct nftnl_expr_lookup { + enum nft_registers dreg; + char *set_name; + uint32_t set_id; ++ uint32_t flags; + }; + + static int +@@ -47,6 +48,9 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_LOOKUP_SET_ID: + lookup->set_id = *((uint32_t *)data); + break; ++ case NFTNL_EXPR_LOOKUP_FLAGS: ++ lookup->flags = *((uint32_t *)data); ++ break; + default: + return -1; + } +@@ -70,6 +74,8 @@ nftnl_expr_lookup_get(const struct nftnl_expr *e, uint16_t type, + return lookup->set_name; + case NFTNL_EXPR_LOOKUP_SET_ID: + return &lookup->set_id; ++ case NFTNL_EXPR_LOOKUP_FLAGS: ++ return &lookup->flags; + } + return NULL; + } +@@ -86,6 +92,7 @@ static int nftnl_expr_lookup_cb(const struct nlattr *attr, void *data) + case NFTA_LOOKUP_SREG: + case NFTA_LOOKUP_DREG: + case NFTA_LOOKUP_SET_ID: ++ case NFTA_LOOKUP_FLAGS: + if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) + abi_breakage(); + break; +@@ -113,6 +120,8 @@ nftnl_expr_lookup_build(struct nlmsghdr *nlh, const struct nftnl_expr *e) + if (e->flags & (1 << NFTNL_EXPR_LOOKUP_SET_ID)) { + mnl_attr_put_u32(nlh, NFTA_LOOKUP_SET_ID, + htonl(lookup->set_id)); ++ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_FLAGS)) ++ mnl_attr_put_u32(nlh, NFTA_LOOKUP_FLAGS, htonl(lookup->flags)); + } + } + +@@ -144,6 +153,10 @@ nftnl_expr_lookup_parse(struct nftnl_expr *e, struct nlattr *attr) + ntohl(mnl_attr_get_u32(tb[NFTA_LOOKUP_SET_ID])); + e->flags |= (1 << NFTNL_EXPR_LOOKUP_SET_ID); + } ++ if (tb[NFTA_LOOKUP_FLAGS]) { ++ lookup->flags = ntohl(mnl_attr_get_u32(tb[NFTA_LOOKUP_FLAGS])); ++ e->flags |= (1 << NFTNL_EXPR_LOOKUP_FLAGS); ++ } + + return ret; + } +@@ -154,7 +167,7 @@ nftnl_expr_lookup_json_parse(struct nftnl_expr *e, json_t *root, + { + #ifdef JSON_PARSING + const char *set_name; +- uint32_t sreg, dreg; ++ uint32_t sreg, dreg, flags; + + set_name = nftnl_jansson_parse_str(root, "set", err); + if (set_name != NULL) +@@ -166,6 +179,10 @@ nftnl_expr_lookup_json_parse(struct nftnl_expr *e, json_t *root, + if (nftnl_jansson_parse_reg(root, "dreg", NFTNL_TYPE_U32, &dreg, err) == 0) + nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_DREG, dreg); + ++ if (nftnl_jansson_parse_val(root, "flags", NFTNL_TYPE_U32, ++ &flags, err) == 0) ++ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_FLAGS, flags); ++ + return 0; + #else + errno = EOPNOTSUPP; +@@ -179,7 +196,7 @@ nftnl_expr_lookup_xml_parse(struct nftnl_expr *e, mxml_node_t *tree, + { + #ifdef XML_PARSING + const char *set_name; +- uint32_t sreg, dreg; ++ uint32_t sreg, dreg, flags; + + set_name = nftnl_mxml_str_parse(tree, "set", MXML_DESCEND_FIRST, + NFTNL_XML_MAND, err); +@@ -194,6 +211,11 @@ nftnl_expr_lookup_xml_parse(struct nftnl_expr *e, mxml_node_t *tree, + err) == 0) + nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_DREG, dreg); + ++ if (nftnl_mxml_num_parse(tree, "flags", MXML_DESCEND_FIRST, BASE_DEC, ++ &flags, NFTNL_TYPE_U32, ++ NFTNL_XML_MAND, err) == 0) ++ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_FLAGS, flags); ++ + return 0; + #else + errno = EOPNOTSUPP; +@@ -214,6 +236,8 @@ nftnl_expr_lookup_export(char *buf, size_t size, + nftnl_buf_u32(&b, type, l->sreg, SREG); + if (e->flags & (1 << NFTNL_EXPR_LOOKUP_DREG)) + nftnl_buf_u32(&b, type, l->dreg, DREG); ++ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_FLAGS)) ++ nftnl_buf_u32(&b, type, l->flags, FLAGS); + + return nftnl_buf_done(&b); + } +@@ -228,12 +252,14 @@ nftnl_expr_lookup_snprintf_default(char *buf, size_t size, + ret = snprintf(buf, len, "reg %u set %s ", l->sreg, l->set_name); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + +- + if (e->flags & (1 << NFTNL_EXPR_LOOKUP_DREG)) { + ret = snprintf(buf+offset, len, "dreg %u ", l->dreg); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + ++ ret = snprintf(buf + offset, len, "0x%x ", l->flags); ++ SNPRINTF_BUFFER_SIZE(ret, size, len, offset); ++ + return offset; + } + +diff --git a/tests/nft-expr_lookup-test.c b/tests/nft-expr_lookup-test.c +index 2ca431b..e52a68f 100644 +--- a/tests/nft-expr_lookup-test.c ++++ b/tests/nft-expr_lookup-test.c +@@ -39,6 +39,9 @@ static void cmp_nftnl_expr(struct nftnl_expr *rule_a, + if (strcmp(nftnl_expr_get_str(rule_a, NFTNL_EXPR_LOOKUP_SET), + nftnl_expr_get_str(rule_b, NFTNL_EXPR_LOOKUP_SET))) + print_err("Expr NFTNL_EXPR_LOOKUP_SET mismatches"); ++ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_FLAGS) != ++ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_FLAGS)) ++ print_err("Expr NFTNL_EXPR_LOOkUP_FLAGS mismatches"); + } + + int main(int argc, char *argv[]) +@@ -63,6 +66,7 @@ int main(int argc, char *argv[]) + nftnl_expr_set_u32(ex, NFTNL_EXPR_LOOKUP_DREG, 0x12345678); + nftnl_expr_set(ex, NFTNL_EXPR_LOOKUP_SET, &lookup_set, + sizeof(lookup_set)); ++ nftnl_expr_set_u32(ex, NFTNL_EXPR_LOOKUP_FLAGS, 0x12345678); + + nftnl_rule_add_expr(a, ex); + +-- +1.8.3.1 + diff --git a/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch b/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch new file mode 100644 index 0000000..8abb9dd --- /dev/null +++ b/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch @@ -0,0 +1,49 @@ +From 111c6c9c326113cda15ea9180ff8f4b5377434cf Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 16 May 2017 12:28:55 +0200 +Subject: [PATCH] set: prevent memleak in nftnl_jansson_parse_set_info() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353311 +Upstream Status: libnftnl commit d29f0825c33af + +commit d29f0825c33af8c53a939b7f0e8d5beb2ed48c83 +Author: Phil Sutter +Date: Fri Aug 12 01:33:33 2016 +0200 + + set: prevent memleak in nftnl_jansson_parse_set_info() + + During list populating, in error case the function returns without + freeing the newly allocated 'elem' object, thereby losing any references + to it. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/set.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/set.c b/src/set.c +index dbea93b..9560ccc 100644 +--- a/src/set.c ++++ b/src/set.c +@@ -566,12 +566,12 @@ static int nftnl_jansson_parse_set_info(struct nftnl_set *s, json_t *tree, + return -1; + + json_elem = json_array_get(array, i); +- if (json_elem == NULL) +- return -1; +- +- if (nftnl_jansson_set_elem_parse(elem, +- json_elem, err) < 0) ++ if (json_elem == NULL || ++ nftnl_jansson_set_elem_parse(elem, ++ json_elem, err) < 0) { ++ free(elem); + return -1; ++ } + + list_add_tail(&elem->head, &s->element_list); + } +-- +1.8.3.1 + diff --git a/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch b/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch new file mode 100644 index 0000000..dbbac28 --- /dev/null +++ b/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch @@ -0,0 +1,44 @@ +From 7413de9ca21bcb7c3de2af37c99ab858615430fc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 16 May 2017 12:28:55 +0200 +Subject: [PATCH] utils: Don't return directly from SNPRINTF_BUFFER_SIZE + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353311 +Upstream Status: libnftnl commit 9afae310b019a + +commit 9afae310b019aa497afb94833afc9a936bc38a1f +Author: Phil Sutter +Date: Fri Aug 12 14:39:50 2016 +0200 + + utils: Don't return directly from SNPRINTF_BUFFER_SIZE + + Apart from being a bad idea in general, the return statement contained + in that macro in some cases leads to returning from functions without + properly cleaning up, thereby causing memory leaks. + + Instead, just sanitize the value in 'ret' to not harm further calls of + snprintf() (as 'len' will eventually just become zero). + + Cc: Arturo Borrero + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + include/utils.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/utils.h b/include/utils.h +index 46ff18a..ae596c5 100644 +--- a/include/utils.h ++++ b/include/utils.h +@@ -45,7 +45,7 @@ void __nftnl_assert_fail(uint16_t attr, const char *filename, int line); + + #define SNPRINTF_BUFFER_SIZE(ret, size, len, offset) \ + if (ret < 0) \ +- return ret; \ ++ ret = 0; \ + offset += ret; \ + if (ret > len) \ + ret = len; \ +-- +1.8.3.1 + diff --git a/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch b/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch new file mode 100644 index 0000000..35cd08e --- /dev/null +++ b/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch @@ -0,0 +1,41 @@ +From 330acafe4d0dec5dfa3b110e26e24aaa189ea8dc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 16 May 2017 12:32:00 +0200 +Subject: [PATCH] expr/ct: prevent array index overrun in ctkey2str() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353309 +Upstream Status: libnftnl commit cca54d5e9c3f4 + +commit cca54d5e9c3f436cd85bc55415c08bf671bfefe6 +Author: Phil Sutter +Date: Fri Aug 12 01:33:35 2016 +0200 + + expr/ct: prevent array index overrun in ctkey2str() + + The array has NFT_CT_MAX fields, so indices must be less than that + number. + + Fixes: 977b7a1dbe1bd ("ct: xml: use key names instead of numbers") + Cc: Arturo Borrero Gonzalez + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/expr/ct.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/expr/ct.c b/src/expr/ct.c +index 7d96df4..1a53b49 100644 +--- a/src/expr/ct.c ++++ b/src/expr/ct.c +@@ -173,7 +173,7 @@ static const char *ctkey2str_array[NFT_CT_MAX] = { + + static const char *ctkey2str(uint32_t ctkey) + { +- if (ctkey > NFT_CT_MAX) ++ if (ctkey >= NFT_CT_MAX) + return "unknown"; + + return ctkey2str_array[ctkey]; +-- +1.8.3.1 + diff --git a/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch b/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch new file mode 100644 index 0000000..c01f81b --- /dev/null +++ b/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch @@ -0,0 +1,224 @@ +From 47e07d1a242b18b17602144cc7de260b6291f9e5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 16 May 2017 12:33:42 +0200 +Subject: [PATCH] src: Fix nftnl_*_get_data() to return the real attribute + length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353322 +Upstream Status: libnftnl commit bda7102d60bfd + +commit bda7102d60bfdab2aa3f36ebd09a119206f264d0 +Author: Carlos Falgueras García +Date: Mon Jul 11 18:07:40 2016 +0200 + + src: Fix nftnl_*_get_data() to return the real attribute length + + All getters must set the memory size of the attributes, ie. this + includes the nul-termination in strings. + + For references to opaque objects hidden behind the curtain, report + a zero size. + + Signed-off-by: Carlos Falgueras García + Signed-off-by: Pablo Neira Ayuso +--- + src/chain.c | 3 +++ + src/expr.c | 1 + + src/expr/dynset.c | 3 +++ + src/expr/lookup.c | 3 +++ + src/gen.c | 1 + + src/rule.c | 2 ++ + src/set.c | 2 ++ + src/set_elem.c | 6 ++++++ + src/table.c | 1 + + src/trace.c | 6 +++--- + 10 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/src/chain.c b/src/chain.c +index 990c576..c956cec 100644 +--- a/src/chain.c ++++ b/src/chain.c +@@ -268,8 +268,10 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr, + + switch(attr) { + case NFTNL_CHAIN_NAME: ++ *data_len = strlen(c->name) + 1; + return c->name; + case NFTNL_CHAIN_TABLE: ++ *data_len = strlen(c->table) + 1; + return c->table; + case NFTNL_CHAIN_HOOKNUM: + *data_len = sizeof(uint32_t); +@@ -299,6 +301,7 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr, + *data_len = sizeof(uint32_t); + return c->type; + case NFTNL_CHAIN_DEV: ++ *data_len = strlen(c->dev) + 1; + return c->dev; + } + return NULL; +diff --git a/src/expr.c b/src/expr.c +index ed07dc4..4a28dd2 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -120,6 +120,7 @@ const void *nftnl_expr_get(const struct nftnl_expr *expr, + + switch(type) { + case NFTNL_EXPR_NAME: ++ *data_len = strlen(expr->ops->name) + 1; + ret = expr->ops->name; + break; + default: +diff --git a/src/expr/dynset.c b/src/expr/dynset.c +index c8d97a5..9b21dfa 100644 +--- a/src/expr/dynset.c ++++ b/src/expr/dynset.c +@@ -86,10 +86,13 @@ nftnl_expr_dynset_get(const struct nftnl_expr *e, uint16_t type, + *data_len = sizeof(dynset->timeout); + return &dynset->timeout; + case NFTNL_EXPR_DYNSET_SET_NAME: ++ *data_len = strlen(dynset->set_name) + 1; + return dynset->set_name; + case NFTNL_EXPR_DYNSET_SET_ID: ++ *data_len = sizeof(dynset->set_id); + return &dynset->set_id; + case NFTNL_EXPR_DYNSET_EXPR: ++ *data_len = 0; + return dynset->expr; + } + return NULL; +diff --git a/src/expr/lookup.c b/src/expr/lookup.c +index 59a3c5c..1c7f3f7 100644 +--- a/src/expr/lookup.c ++++ b/src/expr/lookup.c +@@ -71,10 +71,13 @@ nftnl_expr_lookup_get(const struct nftnl_expr *e, uint16_t type, + *data_len = sizeof(lookup->dreg); + return &lookup->dreg; + case NFTNL_EXPR_LOOKUP_SET: ++ *data_len = strlen(lookup->set_name) + 1; + return lookup->set_name; + case NFTNL_EXPR_LOOKUP_SET_ID: ++ *data_len = sizeof(lookup->set_id); + return &lookup->set_id; + case NFTNL_EXPR_LOOKUP_FLAGS: ++ *data_len = sizeof(lookup->flags); + return &lookup->flags; + } + return NULL; +diff --git a/src/gen.c b/src/gen.c +index 115a105..f114a9c 100644 +--- a/src/gen.c ++++ b/src/gen.c +@@ -101,6 +101,7 @@ const void *nftnl_gen_get_data(const struct nftnl_gen *gen, uint16_t attr, + + switch(attr) { + case NFTNL_GEN_ID: ++ *data_len = sizeof(gen->id); + return &gen->id; + } + return NULL; +diff --git a/src/rule.c b/src/rule.c +index 8ee8648..b0fe30d 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -214,8 +214,10 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr, + *data_len = sizeof(uint32_t); + return &r->family; + case NFTNL_RULE_TABLE: ++ *data_len = strlen(r->table) + 1; + return r->table; + case NFTNL_RULE_CHAIN: ++ *data_len = strlen(r->chain) + 1; + return r->chain; + case NFTNL_RULE_HANDLE: + *data_len = sizeof(uint64_t); +diff --git a/src/set.c b/src/set.c +index 9560ccc..cc49891 100644 +--- a/src/set.c ++++ b/src/set.c +@@ -204,8 +204,10 @@ const void *nftnl_set_get_data(const struct nftnl_set *s, uint16_t attr, + + switch(attr) { + case NFTNL_SET_TABLE: ++ *data_len = strlen(s->table) + 1; + return s->table; + case NFTNL_SET_NAME: ++ *data_len = strlen(s->name) + 1; + return s->name; + case NFTNL_SET_FLAGS: + *data_len = sizeof(uint32_t); +diff --git a/src/set_elem.c b/src/set_elem.c +index b9c7e1e..157a233 100644 +--- a/src/set_elem.c ++++ b/src/set_elem.c +@@ -166,25 +166,31 @@ const void *nftnl_set_elem_get(struct nftnl_set_elem *s, uint16_t attr, uint32_t + + switch(attr) { + case NFTNL_SET_ELEM_FLAGS: ++ *data_len = sizeof(s->set_elem_flags); + return &s->set_elem_flags; + case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */ + *data_len = s->key.len; + return &s->key.val; + case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */ ++ *data_len = sizeof(s->data.verdict); + return &s->data.verdict; + case NFTNL_SET_ELEM_CHAIN: /* NFTA_SET_ELEM_DATA */ ++ *data_len = strlen(s->data.chain) + 1; + return s->data.chain; + case NFTNL_SET_ELEM_DATA: /* NFTA_SET_ELEM_DATA */ + *data_len = s->data.len; + return &s->data.val; + case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */ ++ *data_len = sizeof(s->timeout); + return &s->timeout; + case NFTNL_SET_ELEM_EXPIRATION: /* NFTA_SET_ELEM_EXPIRATION */ ++ *data_len = sizeof(s->expiration); + return &s->expiration; + case NFTNL_SET_ELEM_USERDATA: + *data_len = s->user.len; + return s->user.data; + case NFTNL_SET_ELEM_EXPR: ++ *data_len = 0; + return s->expr; + } + return NULL; +diff --git a/src/table.c b/src/table.c +index 42fe49f..b58ce73 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -145,6 +145,7 @@ const void *nftnl_table_get_data(const struct nftnl_table *t, uint16_t attr, + + switch(attr) { + case NFTNL_TABLE_NAME: ++ *data_len = strlen(t->name) + 1; + return t->name; + case NFTNL_TABLE_FLAGS: + *data_len = sizeof(uint32_t); +diff --git a/src/trace.c b/src/trace.c +index 921fa21..2572d2c 100644 +--- a/src/trace.c ++++ b/src/trace.c +@@ -165,13 +165,13 @@ const void *nftnl_trace_get_data(const struct nftnl_trace *trace, + *data_len = sizeof(uint32_t); + return &trace->type; + case NFTNL_TRACE_CHAIN: +- *data_len = strlen(trace->chain); ++ *data_len = strlen(trace->chain) + 1; + return trace->chain; + case NFTNL_TRACE_TABLE: +- *data_len = strlen(trace->table); ++ *data_len = strlen(trace->table) + 1; + return trace->table; + case NFTNL_TRACE_JUMP_TARGET: +- *data_len = strlen(trace->jump_target); ++ *data_len = strlen(trace->jump_target) + 1; + return trace->jump_target; + case NFTNL_TRACE_TRANSPORT_HEADER: + *data_len = trace->th.len; +-- +1.8.3.1 + diff --git a/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch b/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch new file mode 100644 index 0000000..8095cdd --- /dev/null +++ b/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch @@ -0,0 +1,46 @@ +From 42797f72106dffd348e195b5d8d81bfe1eaff3d6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 16 May 2017 12:33:42 +0200 +Subject: [PATCH] ruleset: Initialize ctx.flags before calling + nftnl_ruleset_ctx_set() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353322 +Upstream Status: libnftnl commit 6257aaf53ede6 + +commit 6257aaf53ede6456e28b0224d215c811f534ff35 +Author: Phil Sutter +Date: Fri Aug 12 01:33:39 2016 +0200 + + ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set() + + The called function otherwise accesses uninitialized data. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/ruleset.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/ruleset.c b/src/ruleset.c +index 414b7c4..ec4cb1d 100644 +--- a/src/ruleset.c ++++ b/src/ruleset.c +@@ -555,6 +555,7 @@ static int nftnl_ruleset_json_parse(const void *json, + + ctx.cb = cb; + ctx.format = type; ++ ctx.flags = 0; + + ctx.set_list = nftnl_set_list_alloc(); + if (ctx.set_list == NULL) +@@ -686,6 +687,7 @@ static int nftnl_ruleset_xml_parse(const void *xml, struct nftnl_parse_err *err, + + ctx.cb = cb; + ctx.format = type; ++ ctx.flags = 0; + + ctx.set_list = nftnl_set_list_alloc(); + if (ctx.set_list == NULL) +-- +1.8.3.1 + diff --git a/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch b/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch new file mode 100644 index 0000000..360d024 --- /dev/null +++ b/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch @@ -0,0 +1,39 @@ +From 546add7a95c037d9149b2c921b22f32ccb26896e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 16 May 2017 12:34:38 +0200 +Subject: [PATCH] expr/limit: Drop unreachable code in limit_to_type() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353312 +Upstream Status: libnftnl commit e381cd99e9eb0 + +commit e381cd99e9eb0e9519a976c8288f6b9e051ada3a +Author: Phil Sutter +Date: Fri Aug 12 01:33:36 2016 +0200 + + expr/limit: Drop unreachable code in limit_to_type() + + The function returns from inside the switch() in any case, so the final + return statement is never reached. + + Fixes: 7769cbd9dfe69 ("expr: limit: add per-byte limiting support") + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/expr/limit.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/expr/limit.c b/src/expr/limit.c +index 4bd096e..cdff81d 100644 +--- a/src/expr/limit.c ++++ b/src/expr/limit.c +@@ -259,7 +259,6 @@ static const char *limit_to_type(enum nft_limit_type type) + case NFT_LIMIT_PKT_BYTES: + return "bytes"; + } +- return "unknown"; + } + + static int nftnl_expr_limit_snprintf_default(char *buf, size_t len, +-- +1.8.3.1 + diff --git a/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch b/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch new file mode 100644 index 0000000..3404edd --- /dev/null +++ b/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch @@ -0,0 +1,82 @@ +From 70f1f3c92363364544843c26c6ecf4555a89f0b4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 16 May 2017 12:35:54 +0200 +Subject: [PATCH] src: Avoid returning uninitialized data + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353319 +Upstream Status: libnftnl commit 7a150cacc1754 + +commit 7a150cacc1754f66525f0e87b14b35fbc2a6338e +Author: Phil Sutter +Date: Fri Aug 12 01:33:38 2016 +0200 + + src: Avoid returning uninitialized data + + Although the 'err' pointer should be interesting for users only if the + parser returned non-zero, having it point to uninitialized data is + generally a bad thing. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/chain.c | 2 +- + src/rule.c | 2 +- + src/set.c | 2 +- + src/table.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/chain.c b/src/chain.c +index c956cec..ff87d1b 100644 +--- a/src/chain.c ++++ b/src/chain.c +@@ -801,7 +801,7 @@ static int nftnl_chain_do_parse(struct nftnl_chain *c, enum nftnl_parse_type typ + enum nftnl_parse_input input) + { + int ret; +- struct nftnl_parse_err perr; ++ struct nftnl_parse_err perr = {}; + + switch (type) { + case NFTNL_PARSE_XML: +diff --git a/src/rule.c b/src/rule.c +index b0fe30d..f202d03 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -689,7 +689,7 @@ static int nftnl_rule_do_parse(struct nftnl_rule *r, enum nftnl_parse_type type, + enum nftnl_parse_input input) + { + int ret; +- struct nftnl_parse_err perr; ++ struct nftnl_parse_err perr = {}; + + switch (type) { + case NFTNL_PARSE_XML: +diff --git a/src/set.c b/src/set.c +index cc49891..7e44769 100644 +--- a/src/set.c ++++ b/src/set.c +@@ -739,7 +739,7 @@ static int nftnl_set_do_parse(struct nftnl_set *s, enum nftnl_parse_type type, + enum nftnl_parse_input input) + { + int ret; +- struct nftnl_parse_err perr; ++ struct nftnl_parse_err perr = {}; + + switch (type) { + case NFTNL_PARSE_XML: +diff --git a/src/table.c b/src/table.c +index b58ce73..6eb344e 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -359,7 +359,7 @@ static int nftnl_table_do_parse(struct nftnl_table *t, enum nftnl_parse_type typ + enum nftnl_parse_input input) + { + int ret; +- struct nftnl_parse_err perr; ++ struct nftnl_parse_err perr = {}; + + switch (type) { + case NFTNL_PARSE_XML: +-- +1.8.3.1 + diff --git a/SOURCES/0011-chain-dynamically-allocate-name.patch b/SOURCES/0011-chain-dynamically-allocate-name.patch new file mode 100644 index 0000000..ea72666 --- /dev/null +++ b/SOURCES/0011-chain-dynamically-allocate-name.patch @@ -0,0 +1,108 @@ +From 52e03423b7fb8d3ae8cae1770c70c7519a03f341 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 16 May 2017 15:29:27 +0200 +Subject: [PATCH] chain: dynamically allocate name + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353320 +Upstream Status: libnftnl commit 23c2ef2f9812a +Conflicts: Patch applied manually to fit the rest of the code which was + changed changed a lot upstream. Future backports of the + following commits have to adjust code added here as well: + * 8f4de3888ce74 ("src: return value on setters that + internally allocate memory") + * 46b887ca6b038 ("src: simplify unsetters") + * 50b175dbd598e ("src: check for flags before releasing + attributes") + +commit 23c2ef2f9812a04c3bd8248de70cad37a176550a +Author: Pablo Neira Ayuso +Date: Fri Jun 10 14:34:10 2016 +0200 + + chain: dynamically allocate name + + Just in case we ever support chain with larger names in the future, + this will ensure the library doesn't break. Although I don't expect + allocating more bytes for this anytime soon, but let's be conservative + here. + + Signed-off-by: Pablo Neira Ayuso +--- + src/chain.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/src/chain.c b/src/chain.c +index ff87d1b..a91f1bc 100644 +--- a/src/chain.c ++++ b/src/chain.c +@@ -32,7 +32,7 @@ + struct nftnl_chain { + struct list_head head; + +- char name[NFT_CHAIN_MAXNAMELEN]; ++ const char *name; + const char *type; + const char *table; + const char *dev; +@@ -95,13 +95,14 @@ EXPORT_SYMBOL_ALIAS(nftnl_chain_alloc, nft_chain_alloc); + + void nftnl_chain_free(const struct nftnl_chain *c) + { ++ if (c->name != NULL) ++ xfree(c->name); + if (c->table != NULL) + xfree(c->table); + if (c->type != NULL) + xfree(c->type); + if (c->dev != NULL) + xfree(c->dev); +- + xfree(c); + } + EXPORT_SYMBOL_ALIAS(nftnl_chain_free, nft_chain_free); +@@ -118,6 +119,12 @@ void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr) + return; + + switch (attr) { ++ case NFTNL_CHAIN_NAME: ++ if (c->name) { ++ xfree(c->name); ++ c->name = NULL; ++ } ++ break; + case NFTNL_CHAIN_TABLE: + if (c->table) { + xfree(c->table); +@@ -132,7 +139,6 @@ void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr) + c->type = NULL; + } + break; +- case NFTNL_CHAIN_NAME: + case NFTNL_CHAIN_HOOKNUM: + case NFTNL_CHAIN_PRIO: + case NFTNL_CHAIN_POLICY: +@@ -175,7 +181,10 @@ void nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, + + switch(attr) { + case NFTNL_CHAIN_NAME: +- strncpy(c->name, data, NFT_CHAIN_MAXNAMELEN); ++ if (c->name) ++ xfree(c->name); ++ ++ c->name = strdup(data); + break; + case NFTNL_CHAIN_TABLE: + if (c->table) +@@ -533,8 +542,8 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *c) + return -1; + + if (tb[NFTA_CHAIN_NAME]) { +- strncpy(c->name, mnl_attr_get_str(tb[NFTA_CHAIN_NAME]), +- NFT_CHAIN_MAXNAMELEN); ++ xfree(c->name); ++ c->name = strdup(mnl_attr_get_str(tb[NFTA_CHAIN_NAME])); + c->flags |= (1 << NFTNL_CHAIN_NAME); + } + if (tb[NFTA_CHAIN_TABLE]) { +-- +1.8.3.1 + diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec index 608c7b2..cf41127 100644 --- a/SPECS/libnftnl.spec +++ b/SPECS/libnftnl.spec @@ -1,13 +1,30 @@ +%define rpmversion 1.0.6 +%define specrelease 6%{?dist} + Name: libnftnl -Version: 1.0.6 -Release: 1%{?dist} +Version: %{rpmversion} +Release: %{specrelease}%{?buildid} Summary: Library for low-level interaction with nftables Netlink's API over libmnl License: GPLv2+ URL: http://netfilter.org/projects/libnftnl/ -Source0: http://ftp.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2 +Source0: %{name}-%{version}.tar.xz +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool BuildRequires: libmnl-devel #BuildRequires: mxml-devel BuildRequires: jansson-devel +Patch0: 0001-src-add-range-expression.patch +Patch1: 0002-tests-stricter-string-attribute-validation.patch +Patch2: 0003-expr-lookup-give-support-for-inverted-matching.patch +Patch3: 0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch +Patch4: 0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch +Patch5: 0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch +Patch6: 0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch +Patch7: 0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch +Patch8: 0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch +Patch9: 0010-src-Avoid-returning-uninitialized-data.patch +Patch10: 0011-chain-dynamically-allocate-name.patch %description A library for low-level interaction with nftables Netlink's API over libmnl. @@ -20,9 +37,15 @@ The %{name}-devel package contains libraries and header files for developing applications that use %{name}. %prep -%setup -q +%autosetup -p1 %build +# This is what autogen.sh (only in git repo) does - without it, patches changing +# Makefile.am cause the build system to regenerate Makefile.in and trying to use +# automake-1.14 for that which is not available in RHEL. +autoreconf -fi +rm -rf autom4te*.cache + %configure --disable-static --disable-silent-rules \ --with-json-parsing --without-xml-parsing make %{?_smp_mflags} @@ -48,5 +71,28 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %{_includedir}/libnftnl %changelog +* Tue May 16 2017 Phil Sutter [1.0.6-6.el7] +- chain: dynamically allocate name (Phil Sutter) [1353320] +- src: Avoid returning uninitialized data (Phil Sutter) [1353319] +- expr/limit: Drop unreachable code in limit_to_type() (Phil Sutter) [1353312] +- ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set() (Phil Sutter) [1353322] +- src: Fix nftnl_*_get_data() to return the real attribute length (Phil Sutter) [1353322] +- expr/ct: prevent array index overrun in ctkey2str() (Phil Sutter) [1353309] +- utils: Don't return directly from SNPRINTF_BUFFER_SIZE (Phil Sutter) [1353311] +- set: prevent memleak in nftnl_jansson_parse_set_info() (Phil Sutter) [1353311] + +* Fri May 12 2017 Phil Sutter [1.0.6-5.el7] +- expr: lookup: give support for inverted matching (Phil Sutter) [1441084] +- tests: stricter string attribute validation (Phil Sutter) [1441084] + +* Thu Feb 23 2017 Phil Sutter [1.0.6-4.el7] +- Add automake and libtool as additional build requirements (Phil Sutter) [1418967] + +* Thu Feb 23 2017 Phil Sutter [1.0.6-3.el7] +- Fix libnftnl.spec for patches changing Makefile.am (Phil Sutter) [1418967] + +* Thu Feb 23 2017 Phil Sutter [1.0.6-2.el7] +- src: add range expression (Phil Sutter) [1418967] + * Wed Jun 29 2016 Phil Sutter 1.0.6-1 - Rebased from Fedora Rawhide and adjusted for RHEL review.