* [libnftnl PATCH 1/6] tests: Fix objref test case
2023-12-15 21:53 [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
@ 2023-12-15 21:53 ` Phil Sutter
2023-12-15 21:53 ` [libnftnl PATCH 2/6] expr: Repurpose struct expr_ops::max_attr field Phil Sutter
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-12-15 21:53 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Probably a c'n'p bug, the test would allocate a lookup expression
instead of the objref one to be tested.
Fixes: b4edb4fc558ac ("expr: add stateful object reference expression")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/nft-expr_objref-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/nft-expr_objref-test.c b/tests/nft-expr_objref-test.c
index 08e27ce49d72a..9e698df38e255 100644
--- a/tests/nft-expr_objref-test.c
+++ b/tests/nft-expr_objref-test.c
@@ -52,7 +52,7 @@ int main(int argc, char *argv[])
b = nftnl_rule_alloc();
if (a == NULL || b == NULL)
print_err("OOM");
- ex = nftnl_expr_alloc("lookup");
+ ex = nftnl_expr_alloc("objref");
if (ex == NULL)
print_err("OOM");
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [libnftnl PATCH 2/6] expr: Repurpose struct expr_ops::max_attr field
2023-12-15 21:53 [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
2023-12-15 21:53 ` [libnftnl PATCH 1/6] tests: Fix objref test case Phil Sutter
@ 2023-12-15 21:53 ` Phil Sutter
2023-12-15 21:53 ` [libnftnl PATCH 3/6] expr: Call expr_ops::set with legal types only Phil Sutter
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-12-15 21:53 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Instead of holding the maximum kernel space (NFTA_*) attribute value,
use it to hold the maximum expression attribute (NFTNL_EXPR_*) value
instead. This will be used for index boundary checks in an attribute
policy array later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/expr_ops.h | 2 +-
include/libnftnl/expr.h | 39 +++++++++++++++++++++++++++++++++++++++
src/expr/bitwise.c | 2 +-
src/expr/byteorder.c | 2 +-
src/expr/cmp.c | 2 +-
src/expr/connlimit.c | 2 +-
src/expr/counter.c | 2 +-
src/expr/ct.c | 2 +-
src/expr/dup.c | 2 +-
src/expr/dynset.c | 2 +-
src/expr/exthdr.c | 2 +-
src/expr/fib.c | 2 +-
src/expr/flow_offload.c | 2 +-
src/expr/fwd.c | 2 +-
src/expr/hash.c | 2 +-
src/expr/immediate.c | 2 +-
src/expr/inner.c | 2 +-
src/expr/last.c | 2 +-
src/expr/limit.c | 2 +-
src/expr/log.c | 2 +-
src/expr/lookup.c | 2 +-
src/expr/masq.c | 2 +-
src/expr/match.c | 2 +-
src/expr/meta.c | 2 +-
src/expr/nat.c | 2 +-
src/expr/numgen.c | 2 +-
src/expr/objref.c | 2 +-
src/expr/osf.c | 2 +-
src/expr/payload.c | 2 +-
src/expr/queue.c | 2 +-
src/expr/quota.c | 2 +-
src/expr/range.c | 2 +-
src/expr/redir.c | 2 +-
src/expr/reject.c | 2 +-
src/expr/rt.c | 2 +-
src/expr/socket.c | 2 +-
src/expr/synproxy.c | 2 +-
src/expr/target.c | 2 +-
src/expr/tproxy.c | 2 +-
src/expr/tunnel.c | 2 +-
src/expr/xfrm.c | 2 +-
41 files changed, 79 insertions(+), 40 deletions(-)
diff --git a/include/expr_ops.h b/include/expr_ops.h
index a7d747a2568a0..51b221483552c 100644
--- a/include/expr_ops.h
+++ b/include/expr_ops.h
@@ -11,7 +11,7 @@ struct nftnl_expr;
struct expr_ops {
const char *name;
uint32_t alloc_len;
- int max_attr;
+ int nftnl_max_attr;
void (*init)(const struct nftnl_expr *e);
void (*free)(const struct nftnl_expr *e);
int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len);
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 9873228dd794a..fba1210622440 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -56,6 +56,7 @@ enum {
NFTNL_EXPR_PAYLOAD_CSUM_TYPE,
NFTNL_EXPR_PAYLOAD_CSUM_OFFSET,
NFTNL_EXPR_PAYLOAD_FLAGS,
+ __NFTNL_EXPR_PAYLOAD_MAX
};
enum {
@@ -65,34 +66,40 @@ enum {
NFTNL_EXPR_NG_OFFSET,
NFTNL_EXPR_NG_SET_NAME, /* deprecated */
NFTNL_EXPR_NG_SET_ID, /* deprecated */
+ __NFTNL_EXPR_NG_MAX
};
enum {
NFTNL_EXPR_META_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_META_DREG,
NFTNL_EXPR_META_SREG,
+ __NFTNL_EXPR_META_MAX
};
enum {
NFTNL_EXPR_RT_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_RT_DREG,
+ __NFTNL_EXPR_RT_MAX
};
enum {
NFTNL_EXPR_SOCKET_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_SOCKET_DREG,
NFTNL_EXPR_SOCKET_LEVEL,
+ __NFTNL_EXPR_SOCKET_MAX
};
enum {
NFTNL_EXPR_TUNNEL_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_TUNNEL_DREG,
+ __NFTNL_EXPR_TUNNEL_MAX
};
enum {
NFTNL_EXPR_CMP_SREG = NFTNL_EXPR_BASE,
NFTNL_EXPR_CMP_OP,
NFTNL_EXPR_CMP_DATA,
+ __NFTNL_EXPR_CMP_MAX
};
enum {
@@ -100,6 +107,7 @@ enum {
NFTNL_EXPR_RANGE_OP,
NFTNL_EXPR_RANGE_FROM_DATA,
NFTNL_EXPR_RANGE_TO_DATA,
+ __NFTNL_EXPR_RANGE_MAX
};
enum {
@@ -108,16 +116,19 @@ enum {
NFTNL_EXPR_IMM_VERDICT,
NFTNL_EXPR_IMM_CHAIN,
NFTNL_EXPR_IMM_CHAIN_ID,
+ __NFTNL_EXPR_IMM_MAX
};
enum {
NFTNL_EXPR_CTR_PACKETS = NFTNL_EXPR_BASE,
NFTNL_EXPR_CTR_BYTES,
+ __NFTNL_EXPR_CTR_MAX
};
enum {
NFTNL_EXPR_CONNLIMIT_COUNT = NFTNL_EXPR_BASE,
NFTNL_EXPR_CONNLIMIT_FLAGS,
+ __NFTNL_EXPR_CONNLIMIT_MAX
};
enum {
@@ -128,18 +139,21 @@ enum {
NFTNL_EXPR_BITWISE_XOR,
NFTNL_EXPR_BITWISE_OP,
NFTNL_EXPR_BITWISE_DATA,
+ __NFTNL_EXPR_BITWISE_MAX
};
enum {
NFTNL_EXPR_TG_NAME = NFTNL_EXPR_BASE,
NFTNL_EXPR_TG_REV,
NFTNL_EXPR_TG_INFO,
+ __NFTNL_EXPR_TG_MAX
};
enum {
NFTNL_EXPR_MT_NAME = NFTNL_EXPR_BASE,
NFTNL_EXPR_MT_REV,
NFTNL_EXPR_MT_INFO,
+ __NFTNL_EXPR_MT_MAX
};
enum {
@@ -150,12 +164,14 @@ enum {
NFTNL_EXPR_NAT_REG_PROTO_MIN,
NFTNL_EXPR_NAT_REG_PROTO_MAX,
NFTNL_EXPR_NAT_FLAGS,
+ __NFTNL_EXPR_NAT_MAX
};
enum {
NFTNL_EXPR_TPROXY_FAMILY = NFTNL_EXPR_BASE,
NFTNL_EXPR_TPROXY_REG_ADDR,
NFTNL_EXPR_TPROXY_REG_PORT,
+ __NFTNL_EXPR_TPROXY_MAX
};
enum {
@@ -164,6 +180,7 @@ enum {
NFTNL_EXPR_LOOKUP_SET,
NFTNL_EXPR_LOOKUP_SET_ID,
NFTNL_EXPR_LOOKUP_FLAGS,
+ __NFTNL_EXPR_LOOKUP_MAX
};
enum {
@@ -176,6 +193,7 @@ enum {
NFTNL_EXPR_DYNSET_EXPR,
NFTNL_EXPR_DYNSET_EXPRESSIONS,
NFTNL_EXPR_DYNSET_FLAGS,
+ __NFTNL_EXPR_DYNSET_MAX
};
enum {
@@ -185,6 +203,7 @@ enum {
NFTNL_EXPR_LOG_QTHRESHOLD,
NFTNL_EXPR_LOG_LEVEL,
NFTNL_EXPR_LOG_FLAGS,
+ __NFTNL_EXPR_LOG_MAX
};
enum {
@@ -195,6 +214,7 @@ enum {
NFTNL_EXPR_EXTHDR_FLAGS,
NFTNL_EXPR_EXTHDR_OP,
NFTNL_EXPR_EXTHDR_SREG,
+ __NFTNL_EXPR_EXTHDR_MAX
};
enum {
@@ -202,6 +222,7 @@ enum {
NFTNL_EXPR_CT_KEY,
NFTNL_EXPR_CT_DIR,
NFTNL_EXPR_CT_SREG,
+ __NFTNL_EXPR_CT_MAX
};
enum {
@@ -210,6 +231,7 @@ enum {
NFTNL_EXPR_BYTEORDER_OP,
NFTNL_EXPR_BYTEORDER_LEN,
NFTNL_EXPR_BYTEORDER_SIZE,
+ __NFTNL_EXPR_BYTEORDER_MAX
};
enum {
@@ -218,11 +240,13 @@ enum {
NFTNL_EXPR_LIMIT_BURST,
NFTNL_EXPR_LIMIT_TYPE,
NFTNL_EXPR_LIMIT_FLAGS,
+ __NFTNL_EXPR_LIMIT_MAX
};
enum {
NFTNL_EXPR_REJECT_TYPE = NFTNL_EXPR_BASE,
NFTNL_EXPR_REJECT_CODE,
+ __NFTNL_EXPR_REJECT_MAX
};
enum {
@@ -230,39 +254,46 @@ enum {
NFTNL_EXPR_QUEUE_TOTAL,
NFTNL_EXPR_QUEUE_FLAGS,
NFTNL_EXPR_QUEUE_SREG_QNUM,
+ __NFTNL_EXPR_QUEUE_MAX
};
enum {
NFTNL_EXPR_QUOTA_BYTES = NFTNL_EXPR_BASE,
NFTNL_EXPR_QUOTA_FLAGS,
NFTNL_EXPR_QUOTA_CONSUMED,
+ __NFTNL_EXPR_QUOTA_MAX
};
enum {
NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE,
NFTNL_EXPR_MASQ_REG_PROTO_MIN,
NFTNL_EXPR_MASQ_REG_PROTO_MAX,
+ __NFTNL_EXPR_MASQ_MAX
};
enum {
NFTNL_EXPR_REDIR_REG_PROTO_MIN = NFTNL_EXPR_BASE,
NFTNL_EXPR_REDIR_REG_PROTO_MAX,
NFTNL_EXPR_REDIR_FLAGS,
+ __NFTNL_EXPR_REDIR_MAX
};
enum {
NFTNL_EXPR_DUP_SREG_ADDR = NFTNL_EXPR_BASE,
NFTNL_EXPR_DUP_SREG_DEV,
+ __NFTNL_EXPR_DUP_MAX
};
enum {
NFTNL_EXPR_FLOW_TABLE_NAME = NFTNL_EXPR_BASE,
+ __NFTNL_EXPR_FLOW_MAX
};
enum {
NFTNL_EXPR_FWD_SREG_DEV = NFTNL_EXPR_BASE,
NFTNL_EXPR_FWD_SREG_ADDR,
NFTNL_EXPR_FWD_NFPROTO,
+ __NFTNL_EXPR_FWD_MAX
};
enum {
@@ -275,12 +306,14 @@ enum {
NFTNL_EXPR_HASH_TYPE,
NFTNL_EXPR_HASH_SET_NAME, /* deprecated */
NFTNL_EXPR_HASH_SET_ID, /* deprecated */
+ __NFTNL_EXPR_HASH_MAX
};
enum {
NFTNL_EXPR_FIB_DREG = NFTNL_EXPR_BASE,
NFTNL_EXPR_FIB_RESULT,
NFTNL_EXPR_FIB_FLAGS,
+ __NFTNL_EXPR_FIB_MAX
};
enum {
@@ -289,12 +322,14 @@ enum {
NFTNL_EXPR_OBJREF_SET_SREG,
NFTNL_EXPR_OBJREF_SET_NAME,
NFTNL_EXPR_OBJREF_SET_ID,
+ __NFTNL_EXPR_OBJREF_MAX
};
enum {
NFTNL_EXPR_OSF_DREG = NFTNL_EXPR_BASE,
NFTNL_EXPR_OSF_TTL,
NFTNL_EXPR_OSF_FLAGS,
+ __NFTNL_EXPR_OSF_MAX
};
enum {
@@ -303,17 +338,20 @@ enum {
NFTNL_EXPR_XFRM_KEY,
NFTNL_EXPR_XFRM_DIR,
NFTNL_EXPR_XFRM_SPNUM,
+ __NFTNL_EXPR_XFRM_MAX
};
enum {
NFTNL_EXPR_SYNPROXY_MSS = NFTNL_EXPR_BASE,
NFTNL_EXPR_SYNPROXY_WSCALE,
NFTNL_EXPR_SYNPROXY_FLAGS,
+ __NFTNL_EXPR_SYNPROXY_MAX
};
enum {
NFTNL_EXPR_LAST_MSECS = NFTNL_EXPR_BASE,
NFTNL_EXPR_LAST_SET,
+ __NFTNL_EXPR_LAST_MAX
};
enum {
@@ -321,6 +359,7 @@ enum {
NFTNL_EXPR_INNER_FLAGS,
NFTNL_EXPR_INNER_HDRSIZE,
NFTNL_EXPR_INNER_EXPR,
+ __NFTNL_EXPR_INNER_MAX
};
#ifdef __cplusplus
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index e5dba827f3d93..69efe1d7e868f 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -271,7 +271,7 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size,
struct expr_ops expr_ops_bitwise = {
.name = "bitwise",
.alloc_len = sizeof(struct nftnl_expr_bitwise),
- .max_attr = NFTA_BITWISE_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1,
.set = nftnl_expr_bitwise_set,
.get = nftnl_expr_bitwise_get,
.parse = nftnl_expr_bitwise_parse,
diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c
index 89ed0a8232af1..f05ae59b688eb 100644
--- a/src/expr/byteorder.c
+++ b/src/expr/byteorder.c
@@ -215,7 +215,7 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_byteorder = {
.name = "byteorder",
.alloc_len = sizeof(struct nftnl_expr_byteorder),
- .max_attr = NFTA_BYTEORDER_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1,
.set = nftnl_expr_byteorder_set,
.get = nftnl_expr_byteorder_get,
.parse = nftnl_expr_byteorder_parse,
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index 1d396e83411ab..40431fad56f3e 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -195,7 +195,7 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_cmp = {
.name = "cmp",
.alloc_len = sizeof(struct nftnl_expr_cmp),
- .max_attr = NFTA_CMP_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1,
.set = nftnl_expr_cmp_set,
.get = nftnl_expr_cmp_get,
.parse = nftnl_expr_cmp_parse,
diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c
index 549417bf31e6b..3b6c36c490636 100644
--- a/src/expr/connlimit.c
+++ b/src/expr/connlimit.c
@@ -130,7 +130,7 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_connlimit = {
.name = "connlimit",
.alloc_len = sizeof(struct nftnl_expr_connlimit),
- .max_attr = NFTA_CONNLIMIT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1,
.set = nftnl_expr_connlimit_set,
.get = nftnl_expr_connlimit_get,
.parse = nftnl_expr_connlimit_parse,
diff --git a/src/expr/counter.c b/src/expr/counter.c
index d139a5f758a0b..0595d505eb2fc 100644
--- a/src/expr/counter.c
+++ b/src/expr/counter.c
@@ -128,7 +128,7 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_counter = {
.name = "counter",
.alloc_len = sizeof(struct nftnl_expr_counter),
- .max_attr = NFTA_COUNTER_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1,
.set = nftnl_expr_counter_set,
.get = nftnl_expr_counter_get,
.parse = nftnl_expr_counter_parse,
diff --git a/src/expr/ct.c b/src/expr/ct.c
index f4a2aeaf31acc..36b61fdeaaf26 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -253,7 +253,7 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_ct = {
.name = "ct",
.alloc_len = sizeof(struct nftnl_expr_ct),
- .max_attr = NFTA_CT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1,
.set = nftnl_expr_ct_set,
.get = nftnl_expr_ct_get,
.parse = nftnl_expr_ct_parse,
diff --git a/src/expr/dup.c b/src/expr/dup.c
index a239ff35640a6..33731cc29b165 100644
--- a/src/expr/dup.c
+++ b/src/expr/dup.c
@@ -133,7 +133,7 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_dup = {
.name = "dup",
.alloc_len = sizeof(struct nftnl_expr_dup),
- .max_attr = NFTA_DUP_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1,
.set = nftnl_expr_dup_set,
.get = nftnl_expr_dup_get,
.parse = nftnl_expr_dup_parse,
diff --git a/src/expr/dynset.c b/src/expr/dynset.c
index 5bcf1c6f8b060..ee6ce1ec71563 100644
--- a/src/expr/dynset.c
+++ b/src/expr/dynset.c
@@ -366,7 +366,7 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_dynset = {
.name = "dynset",
.alloc_len = sizeof(struct nftnl_expr_dynset),
- .max_attr = NFTA_DYNSET_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1,
.init = nftnl_expr_dynset_init,
.free = nftnl_expr_dynset_free,
.set = nftnl_expr_dynset_set,
diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index 739c7ff2179f9..a1227a6cb4509 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -262,7 +262,7 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_exthdr = {
.name = "exthdr",
.alloc_len = sizeof(struct nftnl_expr_exthdr),
- .max_attr = NFTA_EXTHDR_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1,
.set = nftnl_expr_exthdr_set,
.get = nftnl_expr_exthdr_get,
.parse = nftnl_expr_exthdr_parse,
diff --git a/src/expr/fib.c b/src/expr/fib.c
index 957f929ea912e..36637bd74f056 100644
--- a/src/expr/fib.c
+++ b/src/expr/fib.c
@@ -193,7 +193,7 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_fib = {
.name = "fib",
.alloc_len = sizeof(struct nftnl_expr_fib),
- .max_attr = NFTA_FIB_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1,
.set = nftnl_expr_fib_set,
.get = nftnl_expr_fib_get,
.parse = nftnl_expr_fib_parse,
diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c
index 4fc0563bfb537..f60471240cc40 100644
--- a/src/expr/flow_offload.c
+++ b/src/expr/flow_offload.c
@@ -114,7 +114,7 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_flow = {
.name = "flow_offload",
.alloc_len = sizeof(struct nftnl_expr_flow),
- .max_attr = NFTA_FLOW_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1,
.free = nftnl_expr_flow_free,
.set = nftnl_expr_flow_set,
.get = nftnl_expr_flow_get,
diff --git a/src/expr/fwd.c b/src/expr/fwd.c
index 51f661258900f..3aaf328313cd9 100644
--- a/src/expr/fwd.c
+++ b/src/expr/fwd.c
@@ -153,7 +153,7 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_fwd = {
.name = "fwd",
.alloc_len = sizeof(struct nftnl_expr_fwd),
- .max_attr = NFTA_FWD_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1,
.set = nftnl_expr_fwd_set,
.get = nftnl_expr_fwd_get,
.parse = nftnl_expr_fwd_parse,
diff --git a/src/expr/hash.c b/src/expr/hash.c
index 6e2dd197fa708..1fc72ec331a3d 100644
--- a/src/expr/hash.c
+++ b/src/expr/hash.c
@@ -221,7 +221,7 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_hash = {
.name = "hash",
.alloc_len = sizeof(struct nftnl_expr_hash),
- .max_attr = NFTA_HASH_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1,
.set = nftnl_expr_hash_set,
.get = nftnl_expr_hash_get,
.parse = nftnl_expr_hash_parse,
diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index f56aa8fd69997..d60ca32400f18 100644
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -221,7 +221,7 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_immediate = {
.name = "immediate",
.alloc_len = sizeof(struct nftnl_expr_immediate),
- .max_attr = NFTA_IMMEDIATE_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1,
.free = nftnl_expr_immediate_free,
.set = nftnl_expr_immediate_set,
.get = nftnl_expr_immediate_get,
diff --git a/src/expr/inner.c b/src/expr/inner.c
index 7daae4f36adb0..cb6f607138ce3 100644
--- a/src/expr/inner.c
+++ b/src/expr/inner.c
@@ -204,7 +204,7 @@ nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags,
struct expr_ops expr_ops_inner = {
.name = "inner",
.alloc_len = sizeof(struct nftnl_expr_inner),
- .max_attr = NFTA_INNER_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1,
.free = nftnl_expr_inner_free,
.set = nftnl_expr_inner_set,
.get = nftnl_expr_inner_get,
diff --git a/src/expr/last.c b/src/expr/last.c
index 641b713fca66f..273aaa1e14a85 100644
--- a/src/expr/last.c
+++ b/src/expr/last.c
@@ -129,7 +129,7 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_last = {
.name = "last",
.alloc_len = sizeof(struct nftnl_expr_last),
- .max_attr = NFTA_LAST_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1,
.set = nftnl_expr_last_set,
.get = nftnl_expr_last_get,
.parse = nftnl_expr_last_parse,
diff --git a/src/expr/limit.c b/src/expr/limit.c
index 1870e0e473a90..a1f9eac390d91 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -197,7 +197,7 @@ nftnl_expr_limit_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_limit = {
.name = "limit",
.alloc_len = sizeof(struct nftnl_expr_limit),
- .max_attr = NFTA_LIMIT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1,
.set = nftnl_expr_limit_set,
.get = nftnl_expr_limit_get,
.parse = nftnl_expr_limit_parse,
diff --git a/src/expr/log.c b/src/expr/log.c
index 180d83973d706..6df030d83fcd2 100644
--- a/src/expr/log.c
+++ b/src/expr/log.c
@@ -247,7 +247,7 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_log = {
.name = "log",
.alloc_len = sizeof(struct nftnl_expr_log),
- .max_attr = NFTA_LOG_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1,
.free = nftnl_expr_log_free,
.set = nftnl_expr_log_set,
.get = nftnl_expr_log_get,
diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index a06c3385411ac..8b230818c1bed 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup.c
@@ -200,7 +200,7 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_lookup = {
.name = "lookup",
.alloc_len = sizeof(struct nftnl_expr_lookup),
- .max_attr = NFTA_LOOKUP_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1,
.free = nftnl_expr_lookup_free,
.set = nftnl_expr_lookup_set,
.get = nftnl_expr_lookup_get,
diff --git a/src/expr/masq.c b/src/expr/masq.c
index e6e528d9acca8..a103cc33e23f7 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -158,7 +158,7 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_masq = {
.name = "masq",
.alloc_len = sizeof(struct nftnl_expr_masq),
- .max_attr = NFTA_MASQ_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1,
.set = nftnl_expr_masq_set,
.get = nftnl_expr_masq_get,
.parse = nftnl_expr_masq_parse,
diff --git a/src/expr/match.c b/src/expr/match.c
index f472add1cbc8e..eed85db4d40d1 100644
--- a/src/expr/match.c
+++ b/src/expr/match.c
@@ -183,7 +183,7 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_match = {
.name = "match",
.alloc_len = sizeof(struct nftnl_expr_match),
- .max_attr = NFTA_MATCH_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1,
.free = nftnl_expr_match_free,
.set = nftnl_expr_match_set,
.get = nftnl_expr_match_get,
diff --git a/src/expr/meta.c b/src/expr/meta.c
index 183f4412da218..f86fdffd3f14e 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -212,7 +212,7 @@ nftnl_expr_meta_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_meta = {
.name = "meta",
.alloc_len = sizeof(struct nftnl_expr_meta),
- .max_attr = NFTA_META_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1,
.set = nftnl_expr_meta_set,
.get = nftnl_expr_meta_get,
.parse = nftnl_expr_meta_parse,
diff --git a/src/expr/nat.c b/src/expr/nat.c
index ca727be0cda63..1d10bc1c5442d 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -269,7 +269,7 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_nat = {
.name = "nat",
.alloc_len = sizeof(struct nftnl_expr_nat),
- .max_attr = NFTA_NAT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1,
.set = nftnl_expr_nat_set,
.get = nftnl_expr_nat_get,
.parse = nftnl_expr_nat_parse,
diff --git a/src/expr/numgen.c b/src/expr/numgen.c
index d4020a6978e0c..3e83e05f2e3e0 100644
--- a/src/expr/numgen.c
+++ b/src/expr/numgen.c
@@ -175,7 +175,7 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_ng = {
.name = "numgen",
.alloc_len = sizeof(struct nftnl_expr_ng),
- .max_attr = NFTA_NG_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1,
.set = nftnl_expr_ng_set,
.get = nftnl_expr_ng_get,
.parse = nftnl_expr_ng_parse,
diff --git a/src/expr/objref.c b/src/expr/objref.c
index ad0688f46ec62..e96bd6977e93a 100644
--- a/src/expr/objref.c
+++ b/src/expr/objref.c
@@ -199,7 +199,7 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_objref = {
.name = "objref",
.alloc_len = sizeof(struct nftnl_expr_objref),
- .max_attr = NFTA_OBJREF_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1,
.free = nftnl_expr_objref_free,
.set = nftnl_expr_objref_set,
.get = nftnl_expr_objref_get,
diff --git a/src/expr/osf.c b/src/expr/osf.c
index f15a722233830..3838af72debeb 100644
--- a/src/expr/osf.c
+++ b/src/expr/osf.c
@@ -142,7 +142,7 @@ nftnl_expr_osf_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_osf = {
.name = "osf",
.alloc_len = sizeof(struct nftnl_expr_osf),
- .max_attr = NFTA_OSF_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1,
.set = nftnl_expr_osf_set,
.get = nftnl_expr_osf_get,
.parse = nftnl_expr_osf_parse,
diff --git a/src/expr/payload.c b/src/expr/payload.c
index c633e33bedd3e..f603662ac8da7 100644
--- a/src/expr/payload.c
+++ b/src/expr/payload.c
@@ -241,7 +241,7 @@ nftnl_expr_payload_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_payload = {
.name = "payload",
.alloc_len = sizeof(struct nftnl_expr_payload),
- .max_attr = NFTA_PAYLOAD_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1,
.set = nftnl_expr_payload_set,
.get = nftnl_expr_payload_get,
.parse = nftnl_expr_payload_parse,
diff --git a/src/expr/queue.c b/src/expr/queue.c
index de287f245d9a9..fba65d1003b31 100644
--- a/src/expr/queue.c
+++ b/src/expr/queue.c
@@ -188,7 +188,7 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_queue = {
.name = "queue",
.alloc_len = sizeof(struct nftnl_expr_queue),
- .max_attr = NFTA_QUEUE_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1,
.set = nftnl_expr_queue_set,
.get = nftnl_expr_queue_get,
.parse = nftnl_expr_queue_parse,
diff --git a/src/expr/quota.c b/src/expr/quota.c
index 835729ceac17b..d3923f3197900 100644
--- a/src/expr/quota.c
+++ b/src/expr/quota.c
@@ -142,7 +142,7 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_quota = {
.name = "quota",
.alloc_len = sizeof(struct nftnl_expr_quota),
- .max_attr = NFTA_QUOTA_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1,
.set = nftnl_expr_quota_set,
.get = nftnl_expr_quota_get,
.parse = nftnl_expr_quota_parse,
diff --git a/src/expr/range.c b/src/expr/range.c
index 5a30e48fde928..cb3708c8a003d 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -204,7 +204,7 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_range = {
.name = "range",
.alloc_len = sizeof(struct nftnl_expr_range),
- .max_attr = NFTA_RANGE_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1,
.set = nftnl_expr_range_set,
.get = nftnl_expr_range_get,
.parse = nftnl_expr_range_parse,
diff --git a/src/expr/redir.c b/src/expr/redir.c
index 87c2accb923fa..eca8bfe1abd4c 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
@@ -162,7 +162,7 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_redir = {
.name = "redir",
.alloc_len = sizeof(struct nftnl_expr_redir),
- .max_attr = NFTA_REDIR_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1,
.set = nftnl_expr_redir_set,
.get = nftnl_expr_redir_get,
.parse = nftnl_expr_redir_parse,
diff --git a/src/expr/reject.c b/src/expr/reject.c
index c7c944124ca39..6b923adf5e569 100644
--- a/src/expr/reject.c
+++ b/src/expr/reject.c
@@ -129,7 +129,7 @@ nftnl_expr_reject_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_reject = {
.name = "reject",
.alloc_len = sizeof(struct nftnl_expr_reject),
- .max_attr = NFTA_REJECT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1,
.set = nftnl_expr_reject_set,
.get = nftnl_expr_reject_get,
.parse = nftnl_expr_reject_parse,
diff --git a/src/expr/rt.c b/src/expr/rt.c
index 695a6589b5c84..aaec43025011b 100644
--- a/src/expr/rt.c
+++ b/src/expr/rt.c
@@ -157,7 +157,7 @@ nftnl_expr_rt_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_rt = {
.name = "rt",
.alloc_len = sizeof(struct nftnl_expr_rt),
- .max_attr = NFTA_RT_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1,
.set = nftnl_expr_rt_set,
.get = nftnl_expr_rt_get,
.parse = nftnl_expr_rt_parse,
diff --git a/src/expr/socket.c b/src/expr/socket.c
index 83045c075fb5b..ef299c456cdd1 100644
--- a/src/expr/socket.c
+++ b/src/expr/socket.c
@@ -160,7 +160,7 @@ nftnl_expr_socket_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_socket = {
.name = "socket",
.alloc_len = sizeof(struct nftnl_expr_socket),
- .max_attr = NFTA_SOCKET_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1,
.set = nftnl_expr_socket_set,
.get = nftnl_expr_socket_get,
.parse = nftnl_expr_socket_parse,
diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c
index 47fcaefb23b1b..dc25962c00d81 100644
--- a/src/expr/synproxy.c
+++ b/src/expr/synproxy.c
@@ -147,7 +147,7 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_synproxy = {
.name = "synproxy",
.alloc_len = sizeof(struct nftnl_expr_synproxy),
- .max_attr = NFTA_SYNPROXY_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1,
.set = nftnl_expr_synproxy_set,
.get = nftnl_expr_synproxy_get,
.parse = nftnl_expr_synproxy_parse,
diff --git a/src/expr/target.c b/src/expr/target.c
index 2a3fe8ae1020d..ebc48bafb06cc 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -183,7 +183,7 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e)
struct expr_ops expr_ops_target = {
.name = "target",
.alloc_len = sizeof(struct nftnl_expr_target),
- .max_attr = NFTA_TARGET_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1,
.free = nftnl_expr_target_free,
.set = nftnl_expr_target_set,
.get = nftnl_expr_target_get,
diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c
index bd5ffbf1d93ee..ac5419b1f3405 100644
--- a/src/expr/tproxy.c
+++ b/src/expr/tproxy.c
@@ -165,7 +165,7 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_tproxy = {
.name = "tproxy",
.alloc_len = sizeof(struct nftnl_expr_tproxy),
- .max_attr = NFTA_TPROXY_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1,
.set = nftnl_expr_tproxy_set,
.get = nftnl_expr_tproxy_get,
.parse = nftnl_expr_tproxy_parse,
diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c
index a00f620fa471a..e381994707fe9 100644
--- a/src/expr/tunnel.c
+++ b/src/expr/tunnel.c
@@ -140,7 +140,7 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len,
struct expr_ops expr_ops_tunnel = {
.name = "tunnel",
.alloc_len = sizeof(struct nftnl_expr_tunnel),
- .max_attr = NFTA_TUNNEL_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1,
.set = nftnl_expr_tunnel_set,
.get = nftnl_expr_tunnel_get,
.parse = nftnl_expr_tunnel_parse,
diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c
index 2db00d50a158a..3f4cb0a91762e 100644
--- a/src/expr/xfrm.c
+++ b/src/expr/xfrm.c
@@ -191,7 +191,7 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain,
struct expr_ops expr_ops_xfrm = {
.name = "xfrm",
.alloc_len = sizeof(struct nftnl_expr_xfrm),
- .max_attr = NFTA_XFRM_MAX,
+ .nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1,
.set = nftnl_expr_xfrm_set,
.get = nftnl_expr_xfrm_get,
.parse = nftnl_expr_xfrm_parse,
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [libnftnl PATCH 3/6] expr: Call expr_ops::set with legal types only
2023-12-15 21:53 [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
2023-12-15 21:53 ` [libnftnl PATCH 1/6] tests: Fix objref test case Phil Sutter
2023-12-15 21:53 ` [libnftnl PATCH 2/6] expr: Repurpose struct expr_ops::max_attr field Phil Sutter
@ 2023-12-15 21:53 ` Phil Sutter
2023-12-15 21:53 ` [libnftnl PATCH 4/6] include: Sync nf_log.h with kernel headers Phil Sutter
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-12-15 21:53 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Having the new expr_ops::nftnl_max_attr field in place, the valid range
of attribute type values is known now. Reject illegal ones upfront.
Consequently drop the default case from callbacks' switches which handle
all supported attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/expr.c | 3 +++
src/expr/bitwise.c | 2 --
src/expr/byteorder.c | 2 --
src/expr/cmp.c | 2 --
src/expr/connlimit.c | 2 --
src/expr/counter.c | 2 --
src/expr/ct.c | 2 --
src/expr/dup.c | 2 --
src/expr/exthdr.c | 2 --
src/expr/fib.c | 2 --
src/expr/flow_offload.c | 2 --
src/expr/fwd.c | 2 --
src/expr/immediate.c | 2 --
src/expr/inner.c | 2 --
src/expr/last.c | 2 --
src/expr/limit.c | 2 --
src/expr/log.c | 2 --
src/expr/lookup.c | 2 --
src/expr/masq.c | 2 --
src/expr/match.c | 2 --
src/expr/meta.c | 2 --
src/expr/nat.c | 2 --
src/expr/objref.c | 2 --
src/expr/payload.c | 2 --
src/expr/queue.c | 2 --
src/expr/quota.c | 2 --
src/expr/range.c | 2 --
src/expr/redir.c | 2 --
src/expr/reject.c | 2 --
src/expr/rt.c | 2 --
src/expr/socket.c | 2 --
src/expr/target.c | 2 --
src/expr/tproxy.c | 2 --
src/expr/tunnel.c | 2 --
34 files changed, 3 insertions(+), 66 deletions(-)
diff --git a/src/expr.c b/src/expr.c
index b4581f1a79ff6..74d211bcaa123 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -71,6 +71,9 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type,
case NFTNL_EXPR_NAME: /* cannot be modified */
return 0;
default:
+ if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr)
+ return -1;
+
if (expr->ops->set(expr, type, data, data_len) < 0)
return -1;
}
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index 69efe1d7e868f..e219d49a5f440 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -56,8 +56,6 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type,
return nftnl_data_cpy(&bitwise->xor, data, data_len);
case NFTNL_EXPR_BITWISE_DATA:
return nftnl_data_cpy(&bitwise->data, data, data_len);
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c
index f05ae59b688eb..8c7661fcc45ce 100644
--- a/src/expr/byteorder.c
+++ b/src/expr/byteorder.c
@@ -51,8 +51,6 @@ nftnl_expr_byteorder_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_BYTEORDER_SIZE:
memcpy(&byteorder->size, data, sizeof(byteorder->size));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index 40431fad56f3e..fe6f5997a0f3a 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -43,8 +43,6 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type,
break;
case NFTNL_EXPR_CMP_DATA:
return nftnl_data_cpy(&cmp->data, data, data_len);
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c
index 3b6c36c490636..90613f2241ded 100644
--- a/src/expr/connlimit.c
+++ b/src/expr/connlimit.c
@@ -38,8 +38,6 @@ nftnl_expr_connlimit_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_CONNLIMIT_FLAGS:
memcpy(&connlimit->flags, data, sizeof(connlimit->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/counter.c b/src/expr/counter.c
index 0595d505eb2fc..a003e24c6a68d 100644
--- a/src/expr/counter.c
+++ b/src/expr/counter.c
@@ -40,8 +40,6 @@ nftnl_expr_counter_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_CTR_PACKETS:
memcpy(&ctr->pkts, data, sizeof(ctr->pkts));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/ct.c b/src/expr/ct.c
index 36b61fdeaaf26..197454e547784 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -50,8 +50,6 @@ nftnl_expr_ct_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_CT_SREG:
memcpy(&ct->sreg, data, sizeof(ct->sreg));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/dup.c b/src/expr/dup.c
index 33731cc29b165..20100abf8b3c3 100644
--- a/src/expr/dup.c
+++ b/src/expr/dup.c
@@ -37,8 +37,6 @@ static int nftnl_expr_dup_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_DUP_SREG_DEV:
memcpy(&dup->sreg_dev, data, sizeof(dup->sreg_dev));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index a1227a6cb4509..77ff7dba37d83 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -66,8 +66,6 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_EXTHDR_SREG:
memcpy(&exthdr->sreg, data, sizeof(exthdr->sreg));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/fib.c b/src/expr/fib.c
index 36637bd74f056..5d2303f9ebe83 100644
--- a/src/expr/fib.c
+++ b/src/expr/fib.c
@@ -43,8 +43,6 @@ nftnl_expr_fib_set(struct nftnl_expr *e, uint16_t result,
case NFTNL_EXPR_FIB_FLAGS:
memcpy(&fib->flags, data, sizeof(fib->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c
index f60471240cc40..9ab068d29adaa 100644
--- a/src/expr/flow_offload.c
+++ b/src/expr/flow_offload.c
@@ -25,8 +25,6 @@ static int nftnl_expr_flow_set(struct nftnl_expr *e, uint16_t type,
if (!flow->table_name)
return -1;
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/fwd.c b/src/expr/fwd.c
index 3aaf328313cd9..bd1b1d81eb2ad 100644
--- a/src/expr/fwd.c
+++ b/src/expr/fwd.c
@@ -41,8 +41,6 @@ static int nftnl_expr_fwd_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_FWD_NFPROTO:
memcpy(&fwd->nfproto, data, sizeof(fwd->nfproto));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index d60ca32400f18..6ab84171b159d 100644
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -51,8 +51,6 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_IMM_CHAIN_ID:
memcpy(&imm->data.chain_id, data, sizeof(uint32_t));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/inner.c b/src/expr/inner.c
index cb6f607138ce3..515f68d7b9d72 100644
--- a/src/expr/inner.c
+++ b/src/expr/inner.c
@@ -59,8 +59,6 @@ nftnl_expr_inner_set(struct nftnl_expr *e, uint16_t type,
inner->expr = (void *)data;
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/last.c b/src/expr/last.c
index 273aaa1e14a85..8aa772c615345 100644
--- a/src/expr/last.c
+++ b/src/expr/last.c
@@ -37,8 +37,6 @@ static int nftnl_expr_last_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_LAST_SET:
memcpy(&last->set, data, sizeof(last->set));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/limit.c b/src/expr/limit.c
index a1f9eac390d91..355d46acca4e5 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -52,8 +52,6 @@ nftnl_expr_limit_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_LIMIT_FLAGS:
memcpy(&limit->flags, data, sizeof(limit->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/log.c b/src/expr/log.c
index 6df030d83fcd2..868da61d95795 100644
--- a/src/expr/log.c
+++ b/src/expr/log.c
@@ -60,8 +60,6 @@ static int nftnl_expr_log_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_LOG_FLAGS:
memcpy(&log->flags, data, sizeof(log->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index 8b230818c1bed..ca58a38855734 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup.c
@@ -53,8 +53,6 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_LOOKUP_FLAGS:
memcpy(&lookup->flags, data, sizeof(lookup->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/masq.c b/src/expr/masq.c
index a103cc33e23f7..fa2f4afe2c600 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -42,8 +42,6 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/match.c b/src/expr/match.c
index eed85db4d40d1..16e73673df325 100644
--- a/src/expr/match.c
+++ b/src/expr/match.c
@@ -55,8 +55,6 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type,
mt->data = data;
mt->data_len = data_len;
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/meta.c b/src/expr/meta.c
index f86fdffd3f14e..1db2c19e21342 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -47,8 +47,6 @@ nftnl_expr_meta_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_META_SREG:
memcpy(&meta->sreg, data, sizeof(meta->sreg));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/nat.c b/src/expr/nat.c
index 1d10bc1c5442d..724894a2097d4 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -62,8 +62,6 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_NAT_FLAGS:
memcpy(&nat->flags, data, sizeof(nat->flags));
break;
- default:
- return -1;
}
return 0;
diff --git a/src/expr/objref.c b/src/expr/objref.c
index e96bd6977e93a..28cd2cc025b40 100644
--- a/src/expr/objref.c
+++ b/src/expr/objref.c
@@ -57,8 +57,6 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_OBJREF_SET_ID:
memcpy(&objref->set.id, data, sizeof(objref->set.id));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/payload.c b/src/expr/payload.c
index f603662ac8da7..73cb188736839 100644
--- a/src/expr/payload.c
+++ b/src/expr/payload.c
@@ -66,8 +66,6 @@ nftnl_expr_payload_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_PAYLOAD_FLAGS:
memcpy(&payload->csum_flags, data, sizeof(payload->csum_flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/queue.c b/src/expr/queue.c
index fba65d1003b31..3343dd47665e4 100644
--- a/src/expr/queue.c
+++ b/src/expr/queue.c
@@ -45,8 +45,6 @@ static int nftnl_expr_queue_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_QUEUE_SREG_QNUM:
memcpy(&queue->sreg_qnum, data, sizeof(queue->sreg_qnum));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/quota.c b/src/expr/quota.c
index d3923f3197900..2a3a05a82d6a2 100644
--- a/src/expr/quota.c
+++ b/src/expr/quota.c
@@ -41,8 +41,6 @@ static int nftnl_expr_quota_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_QUOTA_FLAGS:
memcpy("a->flags, data, sizeof(quota->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/range.c b/src/expr/range.c
index cb3708c8a003d..d0c52b9a71938 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -43,8 +43,6 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type,
return nftnl_data_cpy(&range->data_from, data, data_len);
case NFTNL_EXPR_RANGE_TO_DATA:
return nftnl_data_cpy(&range->data_to, data, data_len);
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/redir.c b/src/expr/redir.c
index eca8bfe1abd4c..a5a5e7d5677f9 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
@@ -42,8 +42,6 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_REDIR_FLAGS:
memcpy(&redir->flags, data, sizeof(redir->flags));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/reject.c b/src/expr/reject.c
index 6b923adf5e569..8a0653d0f674c 100644
--- a/src/expr/reject.c
+++ b/src/expr/reject.c
@@ -38,8 +38,6 @@ static int nftnl_expr_reject_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_REJECT_CODE:
memcpy(&reject->icmp_code, data, sizeof(reject->icmp_code));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/rt.c b/src/expr/rt.c
index aaec43025011b..de2bd2f1f90a5 100644
--- a/src/expr/rt.c
+++ b/src/expr/rt.c
@@ -37,8 +37,6 @@ nftnl_expr_rt_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_RT_DREG:
memcpy(&rt->dreg, data, sizeof(rt->dreg));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/socket.c b/src/expr/socket.c
index ef299c456cdd1..9b6c3ea3ebb50 100644
--- a/src/expr/socket.c
+++ b/src/expr/socket.c
@@ -41,8 +41,6 @@ nftnl_expr_socket_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_SOCKET_LEVEL:
memcpy(&socket->level, data, sizeof(socket->level));
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/target.c b/src/expr/target.c
index ebc48bafb06cc..cc0566c1d4b8f 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -55,8 +55,6 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type,
tg->data = data;
tg->data_len = data_len;
break;
- default:
- return -1;
}
return 0;
}
diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c
index ac5419b1f3405..c6ed888161918 100644
--- a/src/expr/tproxy.c
+++ b/src/expr/tproxy.c
@@ -42,8 +42,6 @@ nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_TPROXY_REG_PORT:
memcpy(&tproxy->sreg_port, data, sizeof(tproxy->sreg_port));
break;
- default:
- return -1;
}
return 0;
diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c
index e381994707fe9..e59744b070f50 100644
--- a/src/expr/tunnel.c
+++ b/src/expr/tunnel.c
@@ -36,8 +36,6 @@ static int nftnl_expr_tunnel_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_TUNNEL_DREG:
memcpy(&tunnel->dreg, data, sizeof(tunnel->dreg));
break;
- default:
- return -1;
}
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [libnftnl PATCH 4/6] include: Sync nf_log.h with kernel headers
2023-12-15 21:53 [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
` (2 preceding siblings ...)
2023-12-15 21:53 ` [libnftnl PATCH 3/6] expr: Call expr_ops::set with legal types only Phil Sutter
@ 2023-12-15 21:53 ` Phil Sutter
2023-12-15 21:53 ` [libnftnl PATCH 5/6] expr: Introduce struct expr_ops::attr_policy Phil Sutter
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-12-15 21:53 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Next patch needs NF_LOG_PREFIXLEN define.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/linux/netfilter/nf_log.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h
index 8be21e02387db..2ae00932d3d25 100644
--- a/include/linux/netfilter/nf_log.h
+++ b/include/linux/netfilter/nf_log.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _NETFILTER_NF_LOG_H
#define _NETFILTER_NF_LOG_H
@@ -9,4 +10,6 @@
#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */
#define NF_LOG_MASK 0x2f
+#define NF_LOG_PREFIXLEN 128
+
#endif /* _NETFILTER_NF_LOG_H */
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [libnftnl PATCH 5/6] expr: Introduce struct expr_ops::attr_policy
2023-12-15 21:53 [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
` (3 preceding siblings ...)
2023-12-15 21:53 ` [libnftnl PATCH 4/6] include: Sync nf_log.h with kernel headers Phil Sutter
@ 2023-12-15 21:53 ` Phil Sutter
2023-12-15 21:53 ` [libnftnl PATCH 6/6] expr: Enforce attr_policy compliance in nftnl_expr_set() Phil Sutter
2024-03-06 14:43 ` [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
6 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-12-15 21:53 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Similar to kernel's nla_policy, enable expressions to inform about
restrictions on attribute use. This allows the generic expression code
to perform sanity checks before dispatching to expression ops.
For now, this holds only the maximum data len which may be passed to
nftnl_expr_set().
While one may debate whether accepting e.g. uint32_t for sreg/dreg
attributes is correct, it is necessary to not break nftables.
Note that this introduces artificial restrictions on name lengths which
were caught by the kernel (if nftables didn't).
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/expr_ops.h | 5 +++++
src/expr/bitwise.c | 11 +++++++++++
src/expr/byteorder.c | 9 +++++++++
src/expr/cmp.c | 7 +++++++
src/expr/connlimit.c | 6 ++++++
src/expr/counter.c | 6 ++++++
src/expr/ct.c | 8 ++++++++
src/expr/dup.c | 6 ++++++
src/expr/dynset.c | 13 +++++++++++++
src/expr/exthdr.c | 11 +++++++++++
src/expr/fib.c | 7 +++++++
src/expr/flow_offload.c | 5 +++++
src/expr/fwd.c | 7 +++++++
src/expr/hash.c | 11 +++++++++++
src/expr/immediate.c | 9 +++++++++
src/expr/inner.c | 8 ++++++++
src/expr/last.c | 6 ++++++
src/expr/limit.c | 9 +++++++++
src/expr/log.c | 10 ++++++++++
src/expr/lookup.c | 9 +++++++++
src/expr/masq.c | 7 +++++++
src/expr/match.c | 7 +++++++
src/expr/meta.c | 7 +++++++
src/expr/nat.c | 11 +++++++++++
src/expr/numgen.c | 8 ++++++++
src/expr/objref.c | 9 +++++++++
src/expr/osf.c | 7 +++++++
src/expr/payload.c | 12 ++++++++++++
src/expr/queue.c | 8 ++++++++
src/expr/quota.c | 7 +++++++
src/expr/range.c | 8 ++++++++
src/expr/redir.c | 7 +++++++
src/expr/reject.c | 6 ++++++
src/expr/rt.c | 6 ++++++
src/expr/socket.c | 7 +++++++
src/expr/synproxy.c | 7 +++++++
src/expr/target.c | 7 +++++++
src/expr/tproxy.c | 7 +++++++
src/expr/tunnel.c | 6 ++++++
src/expr/xfrm.c | 9 +++++++++
40 files changed, 316 insertions(+)
diff --git a/include/expr_ops.h b/include/expr_ops.h
index 51b221483552c..6cfb3b5832083 100644
--- a/include/expr_ops.h
+++ b/include/expr_ops.h
@@ -8,10 +8,15 @@ struct nlattr;
struct nlmsghdr;
struct nftnl_expr;
+struct attr_policy {
+ uint32_t maxlen;
+};
+
struct expr_ops {
const char *name;
uint32_t alloc_len;
int nftnl_max_attr;
+ struct attr_policy *attr_policy;
void (*init)(const struct nftnl_expr *e);
void (*free)(const struct nftnl_expr *e);
int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len);
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index e219d49a5f440..dab1690707ec6 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -266,10 +266,21 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size,
return err;
}
+static struct attr_policy bitwise_attr_policy[__NFTNL_EXPR_BITWISE_MAX] = {
+ [NFTNL_EXPR_BITWISE_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BITWISE_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BITWISE_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BITWISE_MASK] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+ [NFTNL_EXPR_BITWISE_XOR] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+ [NFTNL_EXPR_BITWISE_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BITWISE_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+};
+
struct expr_ops expr_ops_bitwise = {
.name = "bitwise",
.alloc_len = sizeof(struct nftnl_expr_bitwise),
.nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1,
+ .attr_policy = bitwise_attr_policy,
.set = nftnl_expr_bitwise_set,
.get = nftnl_expr_bitwise_get,
.parse = nftnl_expr_bitwise_parse,
diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c
index 8c7661fcc45ce..d4e85a8dacfc0 100644
--- a/src/expr/byteorder.c
+++ b/src/expr/byteorder.c
@@ -210,10 +210,19 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy byteorder_attr_policy[__NFTNL_EXPR_BYTEORDER_MAX] = {
+ [NFTNL_EXPR_BYTEORDER_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BYTEORDER_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BYTEORDER_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BYTEORDER_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_BYTEORDER_SIZE] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_byteorder = {
.name = "byteorder",
.alloc_len = sizeof(struct nftnl_expr_byteorder),
.nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1,
+ .attr_policy = byteorder_attr_policy,
.set = nftnl_expr_byteorder_set,
.get = nftnl_expr_byteorder_get,
.parse = nftnl_expr_byteorder_parse,
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index fe6f5997a0f3a..2937d7e63a18e 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -190,10 +190,17 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy cmp_attr_policy[__NFTNL_EXPR_CMP_MAX] = {
+ [NFTNL_EXPR_CMP_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CMP_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CMP_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }
+};
+
struct expr_ops expr_ops_cmp = {
.name = "cmp",
.alloc_len = sizeof(struct nftnl_expr_cmp),
.nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1,
+ .attr_policy = cmp_attr_policy,
.set = nftnl_expr_cmp_set,
.get = nftnl_expr_cmp_get,
.parse = nftnl_expr_cmp_parse,
diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c
index 90613f2241ded..1c78c7113f0e9 100644
--- a/src/expr/connlimit.c
+++ b/src/expr/connlimit.c
@@ -125,10 +125,16 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len,
connlimit->count, connlimit->flags);
}
+static struct attr_policy connlimit_attr_policy[__NFTNL_EXPR_CONNLIMIT_MAX] = {
+ [NFTNL_EXPR_CONNLIMIT_COUNT] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CONNLIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_connlimit = {
.name = "connlimit",
.alloc_len = sizeof(struct nftnl_expr_connlimit),
.nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1,
+ .attr_policy = connlimit_attr_policy,
.set = nftnl_expr_connlimit_set,
.get = nftnl_expr_connlimit_get,
.parse = nftnl_expr_connlimit_parse,
diff --git a/src/expr/counter.c b/src/expr/counter.c
index a003e24c6a68d..2c6f2a7a820ac 100644
--- a/src/expr/counter.c
+++ b/src/expr/counter.c
@@ -123,10 +123,16 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len,
ctr->pkts, ctr->bytes);
}
+static struct attr_policy counter_attr_policy[__NFTNL_EXPR_CTR_MAX] = {
+ [NFTNL_EXPR_CTR_PACKETS] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_CTR_BYTES] = { .maxlen = sizeof(uint64_t) },
+};
+
struct expr_ops expr_ops_counter = {
.name = "counter",
.alloc_len = sizeof(struct nftnl_expr_counter),
.nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1,
+ .attr_policy = counter_attr_policy,
.set = nftnl_expr_counter_set,
.get = nftnl_expr_counter_get,
.parse = nftnl_expr_counter_parse,
diff --git a/src/expr/ct.c b/src/expr/ct.c
index 197454e547784..f7dd40d54799a 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -248,10 +248,18 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy ct_attr_policy[__NFTNL_EXPR_CT_MAX] = {
+ [NFTNL_EXPR_CT_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CT_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_CT_DIR] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_CT_SREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_ct = {
.name = "ct",
.alloc_len = sizeof(struct nftnl_expr_ct),
.nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1,
+ .attr_policy = ct_attr_policy,
.set = nftnl_expr_ct_set,
.get = nftnl_expr_ct_get,
.parse = nftnl_expr_ct_parse,
diff --git a/src/expr/dup.c b/src/expr/dup.c
index 20100abf8b3c3..6a5e4cae93b1c 100644
--- a/src/expr/dup.c
+++ b/src/expr/dup.c
@@ -128,10 +128,16 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy dup_attr_policy[__NFTNL_EXPR_DUP_MAX] = {
+ [NFTNL_EXPR_DUP_SREG_ADDR] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DUP_SREG_DEV] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_dup = {
.name = "dup",
.alloc_len = sizeof(struct nftnl_expr_dup),
.nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1,
+ .attr_policy = dup_attr_policy,
.set = nftnl_expr_dup_set,
.get = nftnl_expr_dup_get,
.parse = nftnl_expr_dup_parse,
diff --git a/src/expr/dynset.c b/src/expr/dynset.c
index ee6ce1ec71563..c1f79b5741cd4 100644
--- a/src/expr/dynset.c
+++ b/src/expr/dynset.c
@@ -363,10 +363,23 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e)
nftnl_expr_free(expr);
}
+static struct attr_policy dynset_attr_policy[__NFTNL_EXPR_DYNSET_MAX] = {
+ [NFTNL_EXPR_DYNSET_SREG_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DYNSET_SREG_DATA] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DYNSET_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DYNSET_TIMEOUT] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_DYNSET_SET_NAME] = { .maxlen = NFT_SET_MAXNAMELEN },
+ [NFTNL_EXPR_DYNSET_SET_ID] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_DYNSET_EXPR] = { .maxlen = 0 },
+ [NFTNL_EXPR_DYNSET_EXPRESSIONS] = { .maxlen = 0 },
+ [NFTNL_EXPR_DYNSET_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_dynset = {
.name = "dynset",
.alloc_len = sizeof(struct nftnl_expr_dynset),
.nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1,
+ .attr_policy = dynset_attr_policy,
.init = nftnl_expr_dynset_init,
.free = nftnl_expr_dynset_free,
.set = nftnl_expr_dynset_set,
diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index 77ff7dba37d83..93b75216031b6 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -257,10 +257,21 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len,
}
+static struct attr_policy exthdr_attr_policy[__NFTNL_EXPR_EXTHDR_MAX] = {
+ [NFTNL_EXPR_EXTHDR_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_TYPE] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_EXTHDR_OFFSET] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_EXTHDR_SREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_exthdr = {
.name = "exthdr",
.alloc_len = sizeof(struct nftnl_expr_exthdr),
.nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1,
+ .attr_policy = exthdr_attr_policy,
.set = nftnl_expr_exthdr_set,
.get = nftnl_expr_exthdr_get,
.parse = nftnl_expr_exthdr_parse,
diff --git a/src/expr/fib.c b/src/expr/fib.c
index 5d2303f9ebe83..5f7bef43be89a 100644
--- a/src/expr/fib.c
+++ b/src/expr/fib.c
@@ -188,10 +188,17 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy fib_attr_policy[__NFTNL_EXPR_FIB_MAX] = {
+ [NFTNL_EXPR_FIB_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_FIB_RESULT] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_FIB_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_fib = {
.name = "fib",
.alloc_len = sizeof(struct nftnl_expr_fib),
.nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1,
+ .attr_policy = fib_attr_policy,
.set = nftnl_expr_fib_set,
.get = nftnl_expr_fib_get,
.parse = nftnl_expr_fib_parse,
diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c
index 9ab068d29adaa..5f209a63fa960 100644
--- a/src/expr/flow_offload.c
+++ b/src/expr/flow_offload.c
@@ -109,10 +109,15 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e)
xfree(flow->table_name);
}
+static struct attr_policy flow_offload_attr_policy[__NFTNL_EXPR_FLOW_MAX] = {
+ [NFTNL_EXPR_FLOW_TABLE_NAME] = { .maxlen = NFT_NAME_MAXLEN },
+};
+
struct expr_ops expr_ops_flow = {
.name = "flow_offload",
.alloc_len = sizeof(struct nftnl_expr_flow),
.nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1,
+ .attr_policy = flow_offload_attr_policy,
.free = nftnl_expr_flow_free,
.set = nftnl_expr_flow_set,
.get = nftnl_expr_flow_get,
diff --git a/src/expr/fwd.c b/src/expr/fwd.c
index bd1b1d81eb2ad..566d6f495f1e3 100644
--- a/src/expr/fwd.c
+++ b/src/expr/fwd.c
@@ -148,10 +148,17 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy fwd_attr_policy[__NFTNL_EXPR_FWD_MAX] = {
+ [NFTNL_EXPR_FWD_SREG_DEV] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_FWD_SREG_ADDR] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_FWD_NFPROTO] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_fwd = {
.name = "fwd",
.alloc_len = sizeof(struct nftnl_expr_fwd),
.nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1,
+ .attr_policy = fwd_attr_policy,
.set = nftnl_expr_fwd_set,
.get = nftnl_expr_fwd_get,
.parse = nftnl_expr_fwd_parse,
diff --git a/src/expr/hash.c b/src/expr/hash.c
index 1fc72ec331a3d..4cd9006c9b29b 100644
--- a/src/expr/hash.c
+++ b/src/expr/hash.c
@@ -218,10 +218,21 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy hash_attr_policy[__NFTNL_EXPR_HASH_MAX] = {
+ [NFTNL_EXPR_HASH_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_MODULUS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_SEED] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_OFFSET] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_HASH_TYPE] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_hash = {
.name = "hash",
.alloc_len = sizeof(struct nftnl_expr_hash),
.nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1,
+ .attr_policy = hash_attr_policy,
.set = nftnl_expr_hash_set,
.get = nftnl_expr_hash_get,
.parse = nftnl_expr_hash_parse,
diff --git a/src/expr/immediate.c b/src/expr/immediate.c
index 6ab84171b159d..8645ab3e7827e 100644
--- a/src/expr/immediate.c
+++ b/src/expr/immediate.c
@@ -216,10 +216,19 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e)
nftnl_free_verdict(&imm->data);
}
+static struct attr_policy immediate_attr_policy[__NFTNL_EXPR_IMM_MAX] = {
+ [NFTNL_EXPR_IMM_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_IMM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+ [NFTNL_EXPR_IMM_VERDICT] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_IMM_CHAIN] = { .maxlen = NFT_CHAIN_MAXNAMELEN },
+ [NFTNL_EXPR_IMM_CHAIN_ID] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_immediate = {
.name = "immediate",
.alloc_len = sizeof(struct nftnl_expr_immediate),
.nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1,
+ .attr_policy = immediate_attr_policy,
.free = nftnl_expr_immediate_free,
.set = nftnl_expr_immediate_set,
.get = nftnl_expr_immediate_get,
diff --git a/src/expr/inner.c b/src/expr/inner.c
index 515f68d7b9d72..45ef4fb6208d8 100644
--- a/src/expr/inner.c
+++ b/src/expr/inner.c
@@ -199,10 +199,18 @@ nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags,
return offset;
}
+static struct attr_policy inner_attr_policy[__NFTNL_EXPR_INNER_MAX] = {
+ [NFTNL_EXPR_INNER_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_INNER_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_INNER_HDRSIZE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_INNER_EXPR] = { .maxlen = 0 },
+};
+
struct expr_ops expr_ops_inner = {
.name = "inner",
.alloc_len = sizeof(struct nftnl_expr_inner),
.nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1,
+ .attr_policy = inner_attr_policy,
.free = nftnl_expr_inner_free,
.set = nftnl_expr_inner_set,
.get = nftnl_expr_inner_get,
diff --git a/src/expr/last.c b/src/expr/last.c
index 8aa772c615345..074f463811459 100644
--- a/src/expr/last.c
+++ b/src/expr/last.c
@@ -124,10 +124,16 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len,
return snprintf(buf, len, "%"PRIu64" ", last->msecs);
}
+static struct attr_policy last_attr_policy[__NFTNL_EXPR_LAST_MAX] = {
+ [NFTNL_EXPR_LAST_MSECS] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_LAST_SET] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_last = {
.name = "last",
.alloc_len = sizeof(struct nftnl_expr_last),
.nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1,
+ .attr_policy = last_attr_policy,
.set = nftnl_expr_last_set,
.get = nftnl_expr_last_get,
.parse = nftnl_expr_last_parse,
diff --git a/src/expr/limit.c b/src/expr/limit.c
index 355d46acca4e5..935d449d046df 100644
--- a/src/expr/limit.c
+++ b/src/expr/limit.c
@@ -192,10 +192,19 @@ nftnl_expr_limit_snprintf(char *buf, size_t len,
limit_to_type(limit->type), limit->flags);
}
+static struct attr_policy limit_attr_policy[__NFTNL_EXPR_LIMIT_MAX] = {
+ [NFTNL_EXPR_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_limit = {
.name = "limit",
.alloc_len = sizeof(struct nftnl_expr_limit),
.nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1,
+ .attr_policy = limit_attr_policy,
.set = nftnl_expr_limit_set,
.get = nftnl_expr_limit_get,
.parse = nftnl_expr_limit_parse,
diff --git a/src/expr/log.c b/src/expr/log.c
index 868da61d95795..d6d6910ca9201 100644
--- a/src/expr/log.c
+++ b/src/expr/log.c
@@ -242,10 +242,20 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e)
xfree(log->prefix);
}
+static struct attr_policy log_attr_policy[__NFTNL_EXPR_LOG_MAX] = {
+ [NFTNL_EXPR_LOG_PREFIX] = { .maxlen = NF_LOG_PREFIXLEN },
+ [NFTNL_EXPR_LOG_GROUP] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_LOG_SNAPLEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOG_QTHRESHOLD] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_LOG_LEVEL] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOG_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_log = {
.name = "log",
.alloc_len = sizeof(struct nftnl_expr_log),
.nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1,
+ .attr_policy = log_attr_policy,
.free = nftnl_expr_log_free,
.set = nftnl_expr_log_set,
.get = nftnl_expr_log_get,
diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index ca58a38855734..be045286eb13e 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup.c
@@ -195,10 +195,19 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e)
xfree(lookup->set_name);
}
+static struct attr_policy lookup_attr_policy[__NFTNL_EXPR_LOOKUP_MAX] = {
+ [NFTNL_EXPR_LOOKUP_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOOKUP_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOOKUP_SET] = { .maxlen = NFT_SET_MAXNAMELEN },
+ [NFTNL_EXPR_LOOKUP_SET_ID] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_LOOKUP_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_lookup = {
.name = "lookup",
.alloc_len = sizeof(struct nftnl_expr_lookup),
.nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1,
+ .attr_policy = lookup_attr_policy,
.free = nftnl_expr_lookup_free,
.set = nftnl_expr_lookup_set,
.get = nftnl_expr_lookup_get,
diff --git a/src/expr/masq.c b/src/expr/masq.c
index fa2f4afe2c600..4be5a9c18ed11 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -153,10 +153,17 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy masq_attr_policy[__NFTNL_EXPR_MASQ_MAX] = {
+ [NFTNL_EXPR_MASQ_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_MASQ_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_MASQ_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_masq = {
.name = "masq",
.alloc_len = sizeof(struct nftnl_expr_masq),
.nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1,
+ .attr_policy = masq_attr_policy,
.set = nftnl_expr_masq_set,
.get = nftnl_expr_masq_get,
.parse = nftnl_expr_masq_parse,
diff --git a/src/expr/match.c b/src/expr/match.c
index 16e73673df325..68288dc4349e9 100644
--- a/src/expr/match.c
+++ b/src/expr/match.c
@@ -178,10 +178,17 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e)
xfree(match->data);
}
+static struct attr_policy match_attr_policy[__NFTNL_EXPR_MT_MAX] = {
+ [NFTNL_EXPR_MT_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN },
+ [NFTNL_EXPR_MT_REV] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_MT_INFO] = { .maxlen = 0 },
+};
+
struct expr_ops expr_ops_match = {
.name = "match",
.alloc_len = sizeof(struct nftnl_expr_match),
.nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1,
+ .attr_policy = match_attr_policy,
.free = nftnl_expr_match_free,
.set = nftnl_expr_match_set,
.get = nftnl_expr_match_get,
diff --git a/src/expr/meta.c b/src/expr/meta.c
index 1db2c19e21342..cd49c341a3d6f 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -207,10 +207,17 @@ nftnl_expr_meta_snprintf(char *buf, size_t len,
return 0;
}
+static struct attr_policy meta_attr_policy[__NFTNL_EXPR_META_MAX] = {
+ [NFTNL_EXPR_META_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_META_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_META_SREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_meta = {
.name = "meta",
.alloc_len = sizeof(struct nftnl_expr_meta),
.nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1,
+ .attr_policy = meta_attr_policy,
.set = nftnl_expr_meta_set,
.get = nftnl_expr_meta_get,
.parse = nftnl_expr_meta_parse,
diff --git a/src/expr/nat.c b/src/expr/nat.c
index 724894a2097d4..f3f8644ffdd52 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -264,10 +264,21 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy nat_attr_policy[__NFTNL_EXPR_NAT_MAX] = {
+ [NFTNL_EXPR_NAT_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_FAMILY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_REG_ADDR_MIN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_REG_ADDR_MAX] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NAT_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_nat = {
.name = "nat",
.alloc_len = sizeof(struct nftnl_expr_nat),
.nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1,
+ .attr_policy = nat_attr_policy,
.set = nftnl_expr_nat_set,
.get = nftnl_expr_nat_get,
.parse = nftnl_expr_nat_parse,
diff --git a/src/expr/numgen.c b/src/expr/numgen.c
index 3e83e05f2e3e0..c5e8772d22957 100644
--- a/src/expr/numgen.c
+++ b/src/expr/numgen.c
@@ -172,10 +172,18 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy numgen_attr_policy[__NFTNL_EXPR_NG_MAX] = {
+ [NFTNL_EXPR_NG_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NG_MODULUS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NG_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_NG_OFFSET] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_ng = {
.name = "numgen",
.alloc_len = sizeof(struct nftnl_expr_ng),
.nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1,
+ .attr_policy = numgen_attr_policy,
.set = nftnl_expr_ng_set,
.get = nftnl_expr_ng_get,
.parse = nftnl_expr_ng_parse,
diff --git a/src/expr/objref.c b/src/expr/objref.c
index 28cd2cc025b40..59e1dddcb5f6d 100644
--- a/src/expr/objref.c
+++ b/src/expr/objref.c
@@ -194,10 +194,19 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e)
xfree(objref->set.name);
}
+static struct attr_policy objref_attr_policy[__NFTNL_EXPR_OBJREF_MAX] = {
+ [NFTNL_EXPR_OBJREF_IMM_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_OBJREF_IMM_NAME] = { .maxlen = NFT_NAME_MAXLEN },
+ [NFTNL_EXPR_OBJREF_SET_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_OBJREF_SET_NAME] = { .maxlen = NFT_NAME_MAXLEN },
+ [NFTNL_EXPR_OBJREF_SET_ID] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_objref = {
.name = "objref",
.alloc_len = sizeof(struct nftnl_expr_objref),
.nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1,
+ .attr_policy = objref_attr_policy,
.free = nftnl_expr_objref_free,
.set = nftnl_expr_objref_set,
.get = nftnl_expr_objref_get,
diff --git a/src/expr/osf.c b/src/expr/osf.c
index 3838af72debeb..1e4ceb02e3a04 100644
--- a/src/expr/osf.c
+++ b/src/expr/osf.c
@@ -139,10 +139,17 @@ nftnl_expr_osf_snprintf(char *buf, size_t len,
return offset;
}
+static struct attr_policy osf_attr_policy[__NFTNL_EXPR_OSF_MAX] = {
+ [NFTNL_EXPR_OSF_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_OSF_TTL] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_OSF_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_osf = {
.name = "osf",
.alloc_len = sizeof(struct nftnl_expr_osf),
.nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1,
+ .attr_policy = osf_attr_policy,
.set = nftnl_expr_osf_set,
.get = nftnl_expr_osf_get,
.parse = nftnl_expr_osf_parse,
diff --git a/src/expr/payload.c b/src/expr/payload.c
index 73cb188736839..76d38f7ede112 100644
--- a/src/expr/payload.c
+++ b/src/expr/payload.c
@@ -236,10 +236,22 @@ nftnl_expr_payload_snprintf(char *buf, size_t len,
payload->offset, payload->dreg);
}
+static struct attr_policy payload_attr_policy[__NFTNL_EXPR_PAYLOAD_MAX] = {
+ [NFTNL_EXPR_PAYLOAD_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_BASE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_OFFSET] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_LEN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_CSUM_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_CSUM_OFFSET] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_PAYLOAD_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_payload = {
.name = "payload",
.alloc_len = sizeof(struct nftnl_expr_payload),
.nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1,
+ .attr_policy = payload_attr_policy,
.set = nftnl_expr_payload_set,
.get = nftnl_expr_payload_get,
.parse = nftnl_expr_payload_parse,
diff --git a/src/expr/queue.c b/src/expr/queue.c
index 3343dd47665e4..54792ef009474 100644
--- a/src/expr/queue.c
+++ b/src/expr/queue.c
@@ -183,10 +183,18 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy queue_attr_policy[__NFTNL_EXPR_QUEUE_MAX] = {
+ [NFTNL_EXPR_QUEUE_NUM] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_QUEUE_TOTAL] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_QUEUE_FLAGS] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_QUEUE_SREG_QNUM] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_queue = {
.name = "queue",
.alloc_len = sizeof(struct nftnl_expr_queue),
.nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1,
+ .attr_policy = queue_attr_policy,
.set = nftnl_expr_queue_set,
.get = nftnl_expr_queue_get,
.parse = nftnl_expr_queue_parse,
diff --git a/src/expr/quota.c b/src/expr/quota.c
index 2a3a05a82d6a2..60631febcd220 100644
--- a/src/expr/quota.c
+++ b/src/expr/quota.c
@@ -137,10 +137,17 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len,
quota->bytes, quota->consumed, quota->flags);
}
+static struct attr_policy quota_attr_policy[__NFTNL_EXPR_QUOTA_MAX] = {
+ [NFTNL_EXPR_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) },
+ [NFTNL_EXPR_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) },
+};
+
struct expr_ops expr_ops_quota = {
.name = "quota",
.alloc_len = sizeof(struct nftnl_expr_quota),
.nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1,
+ .attr_policy = quota_attr_policy,
.set = nftnl_expr_quota_set,
.get = nftnl_expr_quota_get,
.parse = nftnl_expr_quota_parse,
diff --git a/src/expr/range.c b/src/expr/range.c
index d0c52b9a71938..6310b79d0a02b 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -199,10 +199,18 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy range_attr_policy[__NFTNL_EXPR_RANGE_MAX] = {
+ [NFTNL_EXPR_RANGE_SREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_RANGE_OP] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_RANGE_FROM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+ [NFTNL_EXPR_RANGE_TO_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN },
+};
+
struct expr_ops expr_ops_range = {
.name = "range",
.alloc_len = sizeof(struct nftnl_expr_range),
.nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1,
+ .attr_policy = range_attr_policy,
.set = nftnl_expr_range_set,
.get = nftnl_expr_range_get,
.parse = nftnl_expr_range_parse,
diff --git a/src/expr/redir.c b/src/expr/redir.c
index a5a5e7d5677f9..69095bde094c1 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
@@ -157,10 +157,17 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy redir_attr_policy[__NFTNL_EXPR_REDIR_MAX] = {
+ [NFTNL_EXPR_REDIR_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_REDIR_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_REDIR_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_redir = {
.name = "redir",
.alloc_len = sizeof(struct nftnl_expr_redir),
.nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1,
+ .attr_policy = redir_attr_policy,
.set = nftnl_expr_redir_set,
.get = nftnl_expr_redir_get,
.parse = nftnl_expr_redir_parse,
diff --git a/src/expr/reject.c b/src/expr/reject.c
index 8a0653d0f674c..f97011a704663 100644
--- a/src/expr/reject.c
+++ b/src/expr/reject.c
@@ -124,10 +124,16 @@ nftnl_expr_reject_snprintf(char *buf, size_t len,
reject->type, reject->icmp_code);
}
+static struct attr_policy reject_attr_policy[__NFTNL_EXPR_REJECT_MAX] = {
+ [NFTNL_EXPR_REJECT_TYPE] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_REJECT_CODE] = { .maxlen = sizeof(uint8_t) },
+};
+
struct expr_ops expr_ops_reject = {
.name = "reject",
.alloc_len = sizeof(struct nftnl_expr_reject),
.nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1,
+ .attr_policy = reject_attr_policy,
.set = nftnl_expr_reject_set,
.get = nftnl_expr_reject_get,
.parse = nftnl_expr_reject_parse,
diff --git a/src/expr/rt.c b/src/expr/rt.c
index de2bd2f1f90a5..0ab255609632f 100644
--- a/src/expr/rt.c
+++ b/src/expr/rt.c
@@ -152,10 +152,16 @@ nftnl_expr_rt_snprintf(char *buf, size_t len,
return 0;
}
+static struct attr_policy rt_attr_policy[__NFTNL_EXPR_RT_MAX] = {
+ [NFTNL_EXPR_RT_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_RT_DREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_rt = {
.name = "rt",
.alloc_len = sizeof(struct nftnl_expr_rt),
.nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1,
+ .attr_policy = rt_attr_policy,
.set = nftnl_expr_rt_set,
.get = nftnl_expr_rt_get,
.parse = nftnl_expr_rt_parse,
diff --git a/src/expr/socket.c b/src/expr/socket.c
index 9b6c3ea3ebb50..d0d8e236c688a 100644
--- a/src/expr/socket.c
+++ b/src/expr/socket.c
@@ -155,10 +155,17 @@ nftnl_expr_socket_snprintf(char *buf, size_t len,
return 0;
}
+static struct attr_policy socket_attr_policy[__NFTNL_EXPR_SOCKET_MAX] = {
+ [NFTNL_EXPR_SOCKET_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_SOCKET_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_SOCKET_LEVEL] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_socket = {
.name = "socket",
.alloc_len = sizeof(struct nftnl_expr_socket),
.nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1,
+ .attr_policy = socket_attr_policy,
.set = nftnl_expr_socket_set,
.get = nftnl_expr_socket_get,
.parse = nftnl_expr_socket_parse,
diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c
index dc25962c00d81..898d292f7116d 100644
--- a/src/expr/synproxy.c
+++ b/src/expr/synproxy.c
@@ -144,10 +144,17 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len,
return offset;
}
+static struct attr_policy synproxy_attr_policy[__NFTNL_EXPR_SYNPROXY_MAX] = {
+ [NFTNL_EXPR_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) },
+ [NFTNL_EXPR_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_synproxy = {
.name = "synproxy",
.alloc_len = sizeof(struct nftnl_expr_synproxy),
.nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1,
+ .attr_policy = synproxy_attr_policy,
.set = nftnl_expr_synproxy_set,
.get = nftnl_expr_synproxy_get,
.parse = nftnl_expr_synproxy_parse,
diff --git a/src/expr/target.c b/src/expr/target.c
index cc0566c1d4b8f..9bfd25bdd5654 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -178,10 +178,17 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e)
xfree(target->data);
}
+static struct attr_policy target_attr_policy[__NFTNL_EXPR_TG_MAX] = {
+ [NFTNL_EXPR_TG_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN },
+ [NFTNL_EXPR_TG_REV] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_TG_INFO] = { .maxlen = 0 },
+};
+
struct expr_ops expr_ops_target = {
.name = "target",
.alloc_len = sizeof(struct nftnl_expr_target),
.nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1,
+ .attr_policy = target_attr_policy,
.free = nftnl_expr_target_free,
.set = nftnl_expr_target_set,
.get = nftnl_expr_target_get,
diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c
index c6ed888161918..49483921df139 100644
--- a/src/expr/tproxy.c
+++ b/src/expr/tproxy.c
@@ -160,10 +160,17 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy tproxy_attr_policy[__NFTNL_EXPR_TPROXY_MAX] = {
+ [NFTNL_EXPR_TPROXY_FAMILY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_TPROXY_REG_ADDR] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_TPROXY_REG_PORT] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_tproxy = {
.name = "tproxy",
.alloc_len = sizeof(struct nftnl_expr_tproxy),
.nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1,
+ .attr_policy = tproxy_attr_policy,
.set = nftnl_expr_tproxy_set,
.get = nftnl_expr_tproxy_get,
.parse = nftnl_expr_tproxy_parse,
diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c
index e59744b070f50..8089d0b585435 100644
--- a/src/expr/tunnel.c
+++ b/src/expr/tunnel.c
@@ -135,10 +135,16 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len,
return 0;
}
+static struct attr_policy tunnel_attr_policy[__NFTNL_EXPR_TUNNEL_MAX] = {
+ [NFTNL_EXPR_TUNNEL_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_TUNNEL_DREG] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_tunnel = {
.name = "tunnel",
.alloc_len = sizeof(struct nftnl_expr_tunnel),
.nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1,
+ .attr_policy = tunnel_attr_policy,
.set = nftnl_expr_tunnel_set,
.get = nftnl_expr_tunnel_get,
.parse = nftnl_expr_tunnel_parse,
diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c
index 3f4cb0a91762e..dc867a24f78b4 100644
--- a/src/expr/xfrm.c
+++ b/src/expr/xfrm.c
@@ -188,10 +188,19 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain,
return offset;
}
+static struct attr_policy xfrm_attr_policy[__NFTNL_EXPR_XFRM_MAX] = {
+ [NFTNL_EXPR_XFRM_DREG] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_XFRM_SREG] = { .maxlen = 0 },
+ [NFTNL_EXPR_XFRM_KEY] = { .maxlen = sizeof(uint32_t) },
+ [NFTNL_EXPR_XFRM_DIR] = { .maxlen = sizeof(uint8_t) },
+ [NFTNL_EXPR_XFRM_SPNUM] = { .maxlen = sizeof(uint32_t) },
+};
+
struct expr_ops expr_ops_xfrm = {
.name = "xfrm",
.alloc_len = sizeof(struct nftnl_expr_xfrm),
.nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1,
+ .attr_policy = xfrm_attr_policy,
.set = nftnl_expr_xfrm_set,
.get = nftnl_expr_xfrm_get,
.parse = nftnl_expr_xfrm_parse,
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [libnftnl PATCH 6/6] expr: Enforce attr_policy compliance in nftnl_expr_set()
2023-12-15 21:53 [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
` (4 preceding siblings ...)
2023-12-15 21:53 ` [libnftnl PATCH 5/6] expr: Introduce struct expr_ops::attr_policy Phil Sutter
@ 2023-12-15 21:53 ` Phil Sutter
2024-03-06 14:43 ` [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
6 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-12-15 21:53 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
Every expression type defines an attr_policy array, so deny setting
attributes if not present. Also deny if maxlen field is non-zero and
lower than the given data_len.
Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO )
or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero
maxlen "nop" is also used for deprecated attributes, just to not
silently ignore them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/expr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/expr.c b/src/expr.c
index 74d211bcaa123..4e32189c6e8d0 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -74,6 +74,13 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type,
if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr)
return -1;
+ if (!expr->ops->attr_policy)
+ return -1;
+
+ if (expr->ops->attr_policy[type].maxlen &&
+ expr->ops->attr_policy[type].maxlen < data_len)
+ return -1;
+
if (expr->ops->set(expr, type, data, data_len) < 0)
return -1;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [libnftnl PATCH 0/6] Attribute policies for expressions
2023-12-15 21:53 [libnftnl PATCH 0/6] Attribute policies for expressions Phil Sutter
` (5 preceding siblings ...)
2023-12-15 21:53 ` [libnftnl PATCH 6/6] expr: Enforce attr_policy compliance in nftnl_expr_set() Phil Sutter
@ 2024-03-06 14:43 ` Phil Sutter
6 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2024-03-06 14:43 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal
On Fri, Dec 15, 2023 at 10:53:44PM +0100, Phil Sutter wrote:
> This is the former RFC turned into a complete implementation including
> Florian's suggested improvements.
>
> Patch 1 is fallout, took me a while debugging the segfaulting test case
> until I noticed it wasn't my fault! :)
>
> Patch 2 is the same as in the RFC.
>
> Patch 3 separates the type value checking from patch 2 and drops
> expressions' default switch cases where all possible values are handled.
>
> Patch 4 is prep work for patch 5.
>
> Patch 5 adds the new struct expr_ops field and defines policies for all
> expressions.
>
> Patch 6 then enables policy checking.
>
> Some remarks for consideration:
>
> * This adds kernel-internal knowledge to libnftnl, namely in max name
> lengths. Maybe not ideal, but I found it more sensible than Florian's
> suggested alternative of using 65528 to just not exceed netlink
> limits.
>
> * nftnl_expr_set_u*() setters start failing when they would happily
> overstep boundaries before. This is intentional, but getting the
> policy values right (at first I thought 'sizeof(enum nft_registers)'
> was a good idea) showed how hard to diagnose bugs in that area are. I
> think we should make the setters return success/fail like
> nftnl_expr_set_str does already, even if that breaks ABI (does it?).
> nftables probably benefits from setter wrappers which call
> netlink_abi_error() if the setter fails.
>
> Phil Sutter (6):
> tests: Fix objref test case
> expr: Repurpose struct expr_ops::max_attr field
> expr: Call expr_ops::set with legal types only
> include: Sync nf_log.h with kernel headers
> expr: Introduce struct expr_ops::attr_policy
> expr: Enforce attr_policy compliance in nftnl_expr_set()
Series applied after checking theres no effect on nftables' py testsuite
results in different releases (v0.9.9, v1.0.6, v1.0.9).
^ permalink raw reply [flat|nested] 8+ messages in thread