Hello community, here is the log from the commit of package libnftnl for openSUSE:Factory checked in at 2019-08-27 15:21:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libnftnl (Old) and /work/SRC/openSUSE:Factory/.libnftnl.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libnftnl" Tue Aug 27 15:21:32 2019 rev:15 rq:724567 version:1.1.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libnftnl/libnftnl.changes 2019-06-12 12:58:25.621339033 +0200 +++ /work/SRC/openSUSE:Factory/.libnftnl.new.7948/libnftnl.changes 2019-08-27 15:21:36.548834136 +0200 @@ -1,0 +2,7 @@ +Mon Aug 19 12:04:35 UTC 2019 - Jan Engelhardt <[email protected]> + +- Update to new upstream release 1.1.4 + * Add ct id support, add ct expectation support, + add synproxy support. + +------------------------------------------------------------------- Old: ---- libnftnl-1.1.3.tar.bz2 libnftnl-1.1.3.tar.bz2.sig New: ---- libnftnl-1.1.4.tar.bz2 libnftnl-1.1.4.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libnftnl.spec ++++++ --- /var/tmp/diff_new_pack.VOvIfG/_old 2019-08-27 15:21:36.988833914 +0200 +++ /var/tmp/diff_new_pack.VOvIfG/_new 2019-08-27 15:21:36.992833913 +0200 @@ -18,18 +18,17 @@ Name: libnftnl %define lname libnftnl11 -Version: 1.1.3 +Version: 1.1.4 Release: 0 Summary: Userspace library to access the nftables Netlink interface License: GPL-2.0-or-later Group: Productivity/Networking/Security -Url: http://netfilter.org/projects/libnftnl/ +URL: https://netfilter.org/projects/libnftnl/ #Git-Clone: git://git.netfilter.org/libnftnl Source: http://ftp.netfilter.org/pub/libnftnl/%name-%version.tar.bz2 Source2: http://ftp.netfilter.org/pub/libnftnl/%name-%version.tar.bz2.sig -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: pkgconfig >= 0.21 +BuildRequires: pkg-config >= 0.21 BuildRequires: xz BuildRequires: pkgconfig(libmnl) >= 1.0.3 ++++++ libnftnl-1.1.3.tar.bz2 -> libnftnl-1.1.4.tar.bz2 ++++++ ++++ 1834 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/configure.ac new/libnftnl-1.1.4/configure.ac --- old/libnftnl-1.1.3/configure.ac 2019-05-27 13:52:31.656824522 +0200 +++ new/libnftnl-1.1.4/configure.ac 2019-08-19 11:18:14.303010167 +0200 @@ -1,6 +1,6 @@ dnl Process this file with autoconf to create configure. -AC_INIT([libnftnl], [1.1.3]) +AC_INIT([libnftnl], [1.1.4]) AC_CONFIG_AUX_DIR([build-aux]) AC_CANONICAL_HOST AC_CONFIG_MACRO_DIR([m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/examples/Makefile.am new/libnftnl-1.1.4/examples/Makefile.am --- old/libnftnl-1.1.3/examples/Makefile.am 2019-05-27 13:52:31.656824522 +0200 +++ new/libnftnl-1.1.4/examples/Makefile.am 2019-08-19 11:18:14.303010167 +0200 @@ -29,10 +29,14 @@ nft-flowtable-get \ nft-ruleset-get \ nft-compat-get \ + nft-ct-expectation-add \ + nft-ct-expectation-del \ + nft-ct-expectation-get \ nft-ct-helper-add \ nft-ct-helper-get \ nft-ct-helper-del \ nft-rule-ct-helper-add \ + nft-rule-ct-expectation-add \ nft-rule-ct-timeout-add nft_table_add_SOURCES = nft-table-add.c @@ -122,6 +126,15 @@ nft_compat_get_SOURCES = nft-compat-get.c nft_compat_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_expectation_add_SOURCES = nft-ct-expectation-add.c +nft_ct_expectation_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_expectation_del_SOURCES = nft-ct-expectation-del.c +nft_ct_expectation_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_expectation_get_SOURCES = nft-ct-expectation-get.c +nft_ct_expectation_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + nft_ct_helper_add_SOURCES = nft-ct-helper-add.c nft_ct_helper_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} @@ -134,5 +147,8 @@ nft_rule_ct_helper_add_SOURCES = nft-rule-ct-helper-add.c nft_rule_ct_helper_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_rule_ct_expectation_add_SOURCES = nft-rule-ct-expectation-add.c +nft_rule_ct_expectation_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + nft_rule_ct_timeout_add_SOURCES = nft-rule-ct-timeout-add.c nft_rule_ct_timeout_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/examples/nft-ct-expectation-add.c new/libnftnl-1.1.4/examples/nft-ct-expectation-add.c --- old/libnftnl-1.1.3/examples/nft-ct-expectation-add.c 1970-01-01 01:00:00.000000000 +0100 +++ new/libnftnl-1.1.4/examples/nft-ct-expectation-add.c 2019-08-19 11:18:14.303010167 +0200 @@ -0,0 +1,153 @@ +/* + * (C) 2019 by Stéphane Veyret <[email protected]> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> + +#include <obj.h> +#include <libmnl/libmnl.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else if (strcmp(str, "arp") == 0) + return NFPROTO_INET; + fprintf(stderr, "Unknown %s: ip, ip6, inet, arp\n", option); + exit(EXIT_FAILURE); +} + +static uint8_t parse_l4proto(char *str) +{ + if (strcmp(str, "udp") == 0) + return IPPROTO_UDP; + else if (strcmp(str, "tcp") == 0) + return IPPROTO_TCP; + else { + fprintf(stderr, "Unknown l4proto: tcp, udp\n"); + exit(EXIT_FAILURE); + } + return IPPROTO_TCP; +} + +static struct nftnl_obj *obj_parse(int argc, char *argv[]) +{ + uint16_t family, l3proto, dport; + uint8_t l4proto, size; + struct nftnl_obj *t; + uint32_t timeout; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + family = parse_family(argv[1], "family"); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_EXPECT); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + if (argc > 8) { + l3proto = parse_family(argv[8], "l3proto"); + nftnl_obj_set_u16(t, NFTNL_OBJ_CT_EXPECT_L3PROTO, l3proto); + } + l4proto = parse_l4proto(argv[4]); + nftnl_obj_set_u8(t, NFTNL_OBJ_CT_EXPECT_L4PROTO, l4proto); + dport = atoi(argv[5]); + nftnl_obj_set_u16(t, NFTNL_OBJ_CT_EXPECT_DPORT, dport); + timeout = atol(argv[6]); + nftnl_obj_set_u32(t, NFTNL_OBJ_CT_EXPECT_TIMEOUT, timeout); + size = atoi(argv[7]); + nftnl_obj_set_u8(t, NFTNL_OBJ_CT_EXPECT_SIZE, size); + + return t; +} + +int main(int argc, char *argv[]) +{ + uint32_t portid, seq, obj_seq, family; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct mnl_nlmsg_batch *batch; + struct mnl_socket *nl; + struct nlmsghdr *nlh; + struct nftnl_obj *t; + int ret; + + if (argc < 8 || argc > 9) { + fprintf(stderr, "%s <family> <table> <name> <l4proto> <dport> <timeout> <size> [l3proto]\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = obj_parse(argc, argv); + if (t == NULL) { + exit(EXIT_FAILURE); + } + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWOBJ, family, + NLM_F_ACK | NLM_F_CREATE, seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/examples/nft-ct-expectation-del.c new/libnftnl-1.1.4/examples/nft-ct-expectation-del.c --- old/libnftnl-1.1.3/examples/nft-ct-expectation-del.c 1970-01-01 01:00:00.000000000 +0100 +++ new/libnftnl-1.1.4/examples/nft-ct-expectation-del.c 2019-08-19 11:18:14.303010167 +0200 @@ -0,0 +1,126 @@ +/* + * (C) 2019 by Stéphane Veyret <[email protected]> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else if (strcmp(str, "arp") == 0) + return NFPROTO_INET; + fprintf(stderr, "Unknown %s: ip, ip6, inet, arp\n", option); + exit(EXIT_FAILURE); +} + +static struct nftnl_obj *obj_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + family = parse_family(argv[1], "family"); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_EXPECT); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, obj_seq, family; + struct nftnl_obj *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = obj_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELOBJ, family, NLM_F_ACK, + seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + mnl_nlmsg_batch_next(batch); + nftnl_obj_free(t); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/examples/nft-ct-expectation-get.c new/libnftnl-1.1.4/examples/nft-ct-expectation-get.c --- old/libnftnl-1.1.3/examples/nft-ct-expectation-get.c 1970-01-01 01:00:00.000000000 +0100 +++ new/libnftnl-1.1.4/examples/nft-ct-expectation-get.c 2019-08-19 11:18:14.303010167 +0200 @@ -0,0 +1,142 @@ +/* + * (C) 2019 by Stéphane Veyret <[email protected]> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else if (strcmp(str, "arp") == 0) + return NFPROTO_INET; + fprintf(stderr, "Unknown %s: ip, ip6, inet, arp\n", option); + exit(EXIT_FAILURE); +} + +static struct nftnl_obj *obj_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + family = parse_family(argv[1], "family"); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_EXPECT); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + + if (argc > 3) + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + return t; +} + +static int obj_cb(const struct nlmsghdr *nlh, void *data) +{ + uint32_t *type = data; + struct nftnl_obj *t; + char buf[4096]; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_obj_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_obj_nlmsg_parse"); + goto err_free; + } + + nftnl_obj_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_obj_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + struct nftnl_obj *t; + int ret; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + uint16_t flags = NLM_F_ACK; + + if (argc < 3 || argc > 4) { + fprintf(stderr, "%s <family> <table> [<name>]\n", argv[0]); + return EXIT_FAILURE; + } + + t = obj_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + + seq = time(NULL); + if (argc < 4) + flags = NLM_F_DUMP; + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETOBJ, family, flags, seq); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, obj_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/examples/nft-rule-ct-expectation-add.c new/libnftnl-1.1.4/examples/nft-rule-ct-expectation-add.c --- old/libnftnl-1.1.3/examples/nft-rule-ct-expectation-add.c 1970-01-01 01:00:00.000000000 +0100 +++ new/libnftnl-1.1.4/examples/nft-rule-ct-expectation-add.c 2019-08-19 11:18:14.307010158 +0200 @@ -0,0 +1,163 @@ +/* + * (C) 2019 by Stéphane Veyret <[email protected]> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <stddef.h> /* for offsetof */ +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else if (strcmp(str, "arp") == 0) + return NFPROTO_INET; + fprintf(stderr, "Unknown %s: ip, ip6, inet, arp\n", option); + exit(EXIT_FAILURE); +} + +static void add_ct_expect(struct nftnl_rule *r, const char *obj_name) +{ + struct nftnl_expr *e; + + e = nftnl_expr_alloc("objref"); + if (e == NULL) { + perror("expr objref oom"); + exit(EXIT_FAILURE); + } + nftnl_expr_set_str(e, NFTNL_EXPR_OBJREF_IMM_NAME, obj_name); + nftnl_expr_set_u32(e, NFTNL_EXPR_OBJREF_IMM_TYPE, NFT_OBJECT_CT_EXPECT); + + nftnl_rule_add_expr(r, e); +} + +static struct nftnl_rule *setup_rule(uint8_t family, const char *table, + const char *chain, const char *handle, + const char *obj_name) +{ + struct nftnl_rule *r = NULL; + uint64_t handle_num; + + r = nftnl_rule_alloc(); + if (r == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + nftnl_rule_set(r, NFTNL_RULE_TABLE, table); + nftnl_rule_set(r, NFTNL_RULE_CHAIN, chain); + nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); + + if (handle != NULL) { + handle_num = atoll(handle); + nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num); + } + + add_ct_expect(r, obj_name); + + return r; +} + +int main(int argc, char *argv[]) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct mnl_nlmsg_batch *batch; + uint32_t seq = time(NULL); + struct mnl_socket *nl; + struct nftnl_rule *r; + struct nlmsghdr *nlh; + uint8_t family; + int ret; + + if (argc < 5 || argc > 6) { + fprintf(stderr, + "Usage: %s <family> <table> <chain> [<handle>] <name>\n", + argv[0]); + exit(EXIT_FAILURE); + } + family = parse_family(argv[1], "family"); + + if (argc < 6) + r = setup_rule(family, argv[2], argv[3], NULL, argv[4]); + else + r = setup_rule(family, argv[2], argv[3], argv[4], argv[5]); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK, + seq++); + + nftnl_rule_nlmsg_build_payload(nlh, r); + nftnl_rule_free(r); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret == -1) { + perror("mnl_socket_sendto"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + if (ret == -1) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL); + if (ret < 0) { + perror("mnl_cb_run"); + exit(EXIT_FAILURE); + } + + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/include/libnftnl/expr.h new/libnftnl-1.1.4/include/libnftnl/expr.h --- old/libnftnl-1.1.3/include/libnftnl/expr.h 2019-05-27 13:52:31.656824522 +0200 +++ new/libnftnl-1.1.4/include/libnftnl/expr.h 2019-08-19 11:18:14.307010158 +0200 @@ -291,6 +291,12 @@ NFTNL_EXPR_XFRM_SPNUM, }; +enum { + NFTNL_EXPR_SYNPROXY_MSS = NFTNL_EXPR_BASE, + NFTNL_EXPR_SYNPROXY_WSCALE, + NFTNL_EXPR_SYNPROXY_FLAGS, +}; + #ifdef __cplusplus } /* extern "C" */ #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/include/libnftnl/object.h new/libnftnl-1.1.4/include/libnftnl/object.h --- old/libnftnl-1.1.3/include/libnftnl/object.h 2019-05-27 13:52:31.660824518 +0200 +++ new/libnftnl-1.1.4/include/libnftnl/object.h 2019-08-19 11:18:14.307010158 +0200 @@ -71,6 +71,14 @@ }; enum { + NFTNL_OBJ_CT_EXPECT_L3PROTO = NFTNL_OBJ_BASE, + NFTNL_OBJ_CT_EXPECT_L4PROTO, + NFTNL_OBJ_CT_EXPECT_DPORT, + NFTNL_OBJ_CT_EXPECT_TIMEOUT, + NFTNL_OBJ_CT_EXPECT_SIZE, +}; + +enum { NFTNL_OBJ_LIMIT_RATE = NFTNL_OBJ_BASE, NFTNL_OBJ_LIMIT_UNIT, NFTNL_OBJ_LIMIT_BURST, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/include/linux/netfilter/nf_tables.h new/libnftnl-1.1.4/include/linux/netfilter/nf_tables.h --- old/libnftnl-1.1.3/include/linux/netfilter/nf_tables.h 2019-05-27 13:52:31.660824518 +0200 +++ new/libnftnl-1.1.4/include/linux/netfilter/nf_tables.h 2019-08-19 11:18:14.307010158 +0200 @@ -8,6 +8,7 @@ #define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN #define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN #define NFT_USERDATA_MAXLEN 256 +#define NFT_OSF_MAXGENRELEN 16 /** * enum nft_registers - nf_tables registers @@ -191,6 +192,7 @@ * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) + * @NFTA_CHAIN_FLAGS: chain flags */ enum nft_chain_attributes { NFTA_CHAIN_UNSPEC, @@ -203,6 +205,7 @@ NFTA_CHAIN_TYPE, NFTA_CHAIN_COUNTERS, NFTA_CHAIN_PAD, + NFTA_CHAIN_FLAGS, __NFTA_CHAIN_MAX }; #define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) @@ -268,7 +271,7 @@ * @NFT_SET_INTERVAL: set contains intervals * @NFT_SET_MAP: set is used as a dictionary * @NFT_SET_TIMEOUT: set uses timeouts - * @NFT_SET_EVAL: set contains expressions for evaluation + * @NFT_SET_EVAL: set can be updated from the evaluation path * @NFT_SET_OBJECT: set contains stateful objects */ enum nft_set_flags { @@ -729,10 +732,12 @@ * * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers * @NFT_EXTHDR_OP_TCP: match against tcp options + * @NFT_EXTHDR_OP_IPV4: match against ipv4 options */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, + NFT_EXTHDR_OP_IPV4, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) @@ -790,6 +795,10 @@ * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_PRANDOM: a 32bit pseudo-random number * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) + * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind) + * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind) + * @NFT_META_BRI_IIFPVID: packet input bridge port pvid + * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto */ enum nft_meta_keys { NFT_META_LEN, @@ -818,6 +827,10 @@ NFT_META_CGROUP, NFT_META_PRANDOM, NFT_META_SECPATH, + NFT_META_IIFKIND, + NFT_META_OIFKIND, + NFT_META_BRI_IIFPVID, + NFT_META_BRI_IIFVPROTO, }; /** @@ -936,22 +949,6 @@ #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) /** - * enum nft_osf_attributes - nf_tables osf expression netlink attributes - * - * @NFTA_OSF_DREG: destination register (NLA_U32) - * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8) - * @NFTA_OSF_FLAGS: flags (NLA_U32) - */ -enum nft_osf_attributes { - NFTA_OSF_UNSPEC, - NFTA_OSF_DREG, - NFTA_OSF_TTL, - NFTA_OSF_FLAGS, - __NFTA_OSF_MAX, -}; -#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1) - -/** * enum nft_ct_keys - nf_tables ct expression keys * * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info) @@ -977,7 +974,7 @@ * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) - * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack + * @NFT_CT_ID: conntrack id */ enum nft_ct_keys { NFT_CT_STATE, @@ -1003,7 +1000,7 @@ NFT_CT_DST_IP, NFT_CT_SRC_IP6, NFT_CT_DST_IP6, - NFT_CT_TIMEOUT, + NFT_CT_ID, __NFT_CT_MAX }; #define NFT_CT_MAX (__NFT_CT_MAX - 1) @@ -1123,6 +1120,33 @@ #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) /** + * enum nft_log_level - nf_tables log levels + * + * @NFT_LOGLEVEL_EMERG: system is unusable + * @NFT_LOGLEVEL_ALERT: action must be taken immediately + * @NFT_LOGLEVEL_CRIT: critical conditions + * @NFT_LOGLEVEL_ERR: error conditions + * @NFT_LOGLEVEL_WARNING: warning conditions + * @NFT_LOGLEVEL_NOTICE: normal but significant condition + * @NFT_LOGLEVEL_INFO: informational + * @NFT_LOGLEVEL_DEBUG: debug-level messages + * @NFT_LOGLEVEL_AUDIT: enabling audit logging + */ +enum nft_log_level { + NFT_LOGLEVEL_EMERG, + NFT_LOGLEVEL_ALERT, + NFT_LOGLEVEL_CRIT, + NFT_LOGLEVEL_ERR, + NFT_LOGLEVEL_WARNING, + NFT_LOGLEVEL_NOTICE, + NFT_LOGLEVEL_INFO, + NFT_LOGLEVEL_DEBUG, + NFT_LOGLEVEL_AUDIT, + __NFT_LOGLEVEL_MAX +}; +#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1) + +/** * enum nft_queue_attributes - nf_tables queue expression netlink attributes * * @NFTA_QUEUE_NUM: netlink queue to send messages to (NLA_U16) @@ -1167,7 +1191,7 @@ #define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) /** - * enum nft_secmark_attributes - nf_tables secmark expression netlink attributes + * enum nft_secmark_attributes - nf_tables secmark object netlink attributes * * @NFTA_SECMARK_CTX: security context (NLA_STRING) */ @@ -1420,7 +1444,7 @@ }; #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) -enum nft_ct_timeout_attributes { +enum nft_ct_timeout_timeout_attributes { NFTA_CT_TIMEOUT_UNSPEC, NFTA_CT_TIMEOUT_L3PROTO, NFTA_CT_TIMEOUT_L4PROTO, @@ -1429,6 +1453,17 @@ }; #define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1) +enum nft_ct_expectation_attributes { + NFTA_CT_EXPECT_UNSPEC, + NFTA_CT_EXPECT_L3PROTO, + NFTA_CT_EXPECT_L4PROTO, + NFTA_CT_EXPECT_DPORT, + NFTA_CT_EXPECT_TIMEOUT, + NFTA_CT_EXPECT_SIZE, + __NFTA_CT_EXPECT_MAX, +}; +#define NFTA_CT_EXPECT_MAX (__NFTA_CT_EXPECT_MAX - 1) + #define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_QUOTA 2 @@ -1438,7 +1473,8 @@ #define NFT_OBJECT_TUNNEL 6 #define NFT_OBJECT_CT_TIMEOUT 7 #define NFT_OBJECT_SECMARK 8 -#define __NFT_OBJECT_MAX 9 +#define NFT_OBJECT_CT_EXPECT 9 +#define __NFT_OBJECT_MAX 10 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** @@ -1506,6 +1542,42 @@ #define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1) /** + * enum nft_osf_attributes - nftables osf expression netlink attributes + * + * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8) + * @NFTA_OSF_FLAGS: flags (NLA_U32) + */ +enum nft_osf_attributes { + NFTA_OSF_UNSPEC, + NFTA_OSF_DREG, + NFTA_OSF_TTL, + NFTA_OSF_FLAGS, + __NFTA_OSF_MAX, +}; +#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1) + +enum nft_osf_flags { + NFT_OSF_F_VERSION = (1 << 0), +}; + +/** + * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes + * + * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16) + * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8) + * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32) + */ +enum nft_synproxy_attributes { + NFTA_SYNPROXY_UNSPEC, + NFTA_SYNPROXY_MSS, + NFTA_SYNPROXY_WSCALE, + NFTA_SYNPROXY_FLAGS, + __NFTA_SYNPROXY_MAX, +}; +#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1) + +/** * enum nft_device_attributes - nf_tables device netlink attributes * * @NFTA_DEVICE_NAME: name of this device (NLA_STRING) @@ -1701,10 +1773,19 @@ }; #define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1) +enum nft_tunnel_mode { + NFT_TUNNEL_MODE_NONE, + NFT_TUNNEL_MODE_RX, + NFT_TUNNEL_MODE_TX, + __NFT_TUNNEL_MODE_MAX +}; +#define NFT_TUNNEL_MODE_MAX (__NFT_TUNNEL_MODE_MAX - 1) + enum nft_tunnel_attributes { NFTA_TUNNEL_UNSPEC, NFTA_TUNNEL_KEY, NFTA_TUNNEL_DREG, + NFTA_TUNNEL_MODE, __NFTA_TUNNEL_MAX }; #define NFTA_TUNNEL_MAX (__NFTA_TUNNEL_MAX - 1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/include/obj.h new/libnftnl-1.1.4/include/obj.h --- old/libnftnl-1.1.3/include/obj.h 2019-05-27 13:52:31.660824518 +0200 +++ new/libnftnl-1.1.4/include/obj.h 2019-08-19 11:18:14.311010150 +0200 @@ -42,6 +42,13 @@ uint8_t l4proto; uint32_t timeout[NFTNL_CTTIMEOUT_ARRAY_MAX]; } ct_timeout; + struct nftnl_obj_ct_expect { + uint16_t l3proto; + uint16_t dport; + uint8_t l4proto; + uint8_t size; + uint32_t timeout; + } ct_expect; struct nftnl_obj_limit { uint64_t rate; uint64_t unit; @@ -99,6 +106,7 @@ extern struct obj_ops obj_ops_quota; extern struct obj_ops obj_ops_ct_helper; extern struct obj_ops obj_ops_ct_timeout; +extern struct obj_ops obj_ops_ct_expect; extern struct obj_ops obj_ops_limit; extern struct obj_ops obj_ops_tunnel; extern struct obj_ops obj_ops_secmark; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/libnftnl.pc.in new/libnftnl-1.1.4/libnftnl.pc.in --- old/libnftnl-1.1.3/libnftnl.pc.in 2019-05-27 13:52:31.660824518 +0200 +++ new/libnftnl-1.1.4/libnftnl.pc.in 2019-08-19 11:18:14.311010150 +0200 @@ -10,6 +10,7 @@ URL: http://netfilter.org/projects/libnftnl/ Version: @VERSION@ Requires: +Requires.private: libmnl Conflicts: Libs: -L${libdir} -lnftnl Cflags: -I${includedir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/Makefile.am new/libnftnl-1.1.4/src/Makefile.am --- old/libnftnl-1.1.3/src/Makefile.am 2019-05-27 13:52:31.660824518 +0200 +++ new/libnftnl-1.1.4/src/Makefile.am 2019-08-19 11:18:14.311010150 +0200 @@ -56,6 +56,7 @@ expr/redir.c \ expr/hash.c \ expr/socket.c \ + expr/synproxy.c \ expr/osf.c \ expr/xfrm.c \ obj/counter.c \ @@ -65,4 +66,5 @@ obj/limit.c \ obj/ct_timeout.c \ obj/secmark.c \ + obj/ct_expect.c \ libnftnl.map diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/expr/ct.c new/libnftnl-1.1.4/src/expr/ct.c --- old/libnftnl-1.1.3/src/expr/ct.c 2019-05-27 13:52:31.660824518 +0200 +++ new/libnftnl-1.1.4/src/expr/ct.c 2019-08-19 11:18:14.311010150 +0200 @@ -172,6 +172,7 @@ [NFT_CT_DST_IP] = "dst_ip", [NFT_CT_SRC_IP6] = "src_ip6", [NFT_CT_DST_IP6] = "dst_ip6", + [NFT_CT_ID] = "id", }; static const char *ctkey2str(uint32_t ctkey) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/expr/exthdr.c new/libnftnl-1.1.4/src/expr/exthdr.c --- old/libnftnl-1.1.3/src/expr/exthdr.c 2019-05-27 13:52:31.660824518 +0200 +++ new/libnftnl-1.1.4/src/expr/exthdr.c 2019-08-19 11:18:14.311010150 +0200 @@ -200,6 +200,9 @@ case NFT_EXTHDR_OP_TCPOPT: return " tcpopt"; case NFT_EXTHDR_OP_IPV6: + return " ipv6"; + case NFT_EXTHDR_OP_IPV4: + return " ipv4"; default: return ""; } @@ -209,6 +212,8 @@ { if (!strcmp(str, "tcpopt")) return NFT_EXTHDR_OP_TCPOPT; + if (!strcmp(str, "ipv4")) + return NFT_EXTHDR_OP_IPV4; /* if str == "ipv6" or anything else */ return NFT_EXTHDR_OP_IPV6; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/expr/meta.c new/libnftnl-1.1.4/src/expr/meta.c --- old/libnftnl-1.1.3/src/expr/meta.c 2019-05-27 13:52:31.660824518 +0200 +++ new/libnftnl-1.1.4/src/expr/meta.c 2019-08-19 11:18:14.311010150 +0200 @@ -22,7 +22,7 @@ #include <libnftnl/rule.h> #ifndef NFT_META_MAX -#define NFT_META_MAX (NFT_META_SECPATH + 1) +#define NFT_META_MAX (NFT_META_BRI_IIFVPROTO + 1) #endif struct nftnl_expr_meta { @@ -159,6 +159,10 @@ [NFT_META_CGROUP] = "cgroup", [NFT_META_PRANDOM] = "prandom", [NFT_META_SECPATH] = "secpath", + [NFT_META_IIFKIND] = "iifkind", + [NFT_META_OIFKIND] = "oifkind", + [NFT_META_BRI_IIFPVID] = "bri_iifpvid", + [NFT_META_BRI_IIFVPROTO] = "bri_iifvproto", }; static const char *meta_key2str(uint8_t key) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/expr/synproxy.c new/libnftnl-1.1.4/src/expr/synproxy.c --- old/libnftnl-1.1.3/src/expr/synproxy.c 1970-01-01 01:00:00.000000000 +0100 +++ new/libnftnl-1.1.4/src/expr/synproxy.c 2019-08-19 11:18:14.315010142 +0200 @@ -0,0 +1,170 @@ +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <arpa/inet.h> +#include <errno.h> +#include <linux/netfilter/nf_tables.h> + +#include "internal.h" +#include <libmnl/libmnl.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> + +struct nftnl_expr_synproxy { + uint16_t mss; + uint8_t wscale; + uint32_t flags; +}; + +static int nftnl_expr_synproxy_set(struct nftnl_expr *e, uint16_t type, + const void *data, uint32_t data_len) +{ + struct nftnl_expr_synproxy *synproxy = nftnl_expr_data(e); + + switch(type) { + case NFTNL_EXPR_SYNPROXY_MSS: + memcpy(&synproxy->mss, data, sizeof(synproxy->mss)); + break; + case NFTNL_EXPR_SYNPROXY_WSCALE: + memcpy(&synproxy->wscale, data, sizeof(synproxy->wscale)); + break; + case NFTNL_EXPR_SYNPROXY_FLAGS: + memcpy(&synproxy->flags, data, sizeof(synproxy->flags)); + break; + } + return 0; +} + +static const void * +nftnl_expr_synproxy_get(const struct nftnl_expr *e, uint16_t type, + uint32_t *data_len) +{ + struct nftnl_expr_synproxy *synproxy = nftnl_expr_data(e); + + switch(type) { + case NFTNL_EXPR_SYNPROXY_MSS: + *data_len = sizeof(synproxy->mss); + return &synproxy->mss; + case NFTNL_EXPR_SYNPROXY_WSCALE: + *data_len = sizeof(synproxy->wscale); + return &synproxy->wscale; + case NFTNL_EXPR_SYNPROXY_FLAGS: + *data_len = sizeof(synproxy->flags); + return &synproxy->flags; + } + return NULL; +} + +static int nftnl_expr_synproxy_cb(const struct nlattr *attr, void *data) +{ + const struct nlattr **tb = data; + int type = mnl_attr_get_type(attr); + + if (mnl_attr_type_valid(attr, NFTA_SYNPROXY_MAX) < 0) + return MNL_CB_OK; + + switch(type) { + case NFTNL_EXPR_SYNPROXY_MSS: + if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0) + abi_breakage(); + break; + + case NFTNL_EXPR_SYNPROXY_WSCALE: + if (mnl_attr_validate(attr, MNL_TYPE_U8) < 0) + abi_breakage(); + break; + + case NFTNL_EXPR_SYNPROXY_FLAGS: + if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) + abi_breakage(); + break; + } + + tb[type] = attr; + return MNL_CB_OK; +} + +static void +nftnl_expr_synproxy_build(struct nlmsghdr *nlh, const struct nftnl_expr *e) +{ + struct nftnl_expr_synproxy *synproxy = nftnl_expr_data(e); + + if (e->flags & (1 << NFTNL_EXPR_SYNPROXY_MSS)) + mnl_attr_put_u16(nlh, NFTNL_EXPR_SYNPROXY_MSS, + htons(synproxy->mss)); + if (e->flags & (1 << NFTNL_EXPR_SYNPROXY_WSCALE)) + mnl_attr_put_u8(nlh, NFTNL_EXPR_SYNPROXY_WSCALE, + synproxy->wscale); + if (e->flags & (1 << NFTNL_EXPR_SYNPROXY_FLAGS)) + mnl_attr_put_u32(nlh, NFTNL_EXPR_SYNPROXY_FLAGS, + htonl(synproxy->flags)); +} + +static int +nftnl_expr_synproxy_parse(struct nftnl_expr *e, struct nlattr *attr) +{ + struct nftnl_expr_synproxy *synproxy = nftnl_expr_data(e); + struct nlattr *tb[NFTA_SYNPROXY_MAX + 1] = {}; + + if (mnl_attr_parse_nested(attr, nftnl_expr_synproxy_cb, tb) < 0) + return -1; + + if (tb[NFTA_SYNPROXY_MSS]) { + synproxy->mss = ntohs(mnl_attr_get_u16(tb[NFTA_SYNPROXY_MSS])); + e->flags |= (1 << NFTNL_EXPR_SYNPROXY_MSS); + } + + if (tb[NFTA_SYNPROXY_WSCALE]) { + synproxy->wscale = mnl_attr_get_u8(tb[NFTA_SYNPROXY_WSCALE]); + e->flags |= (1 << NFTNL_EXPR_SYNPROXY_WSCALE); + } + + if (tb[NFTA_SYNPROXY_FLAGS]) { + synproxy->flags = ntohl(mnl_attr_get_u32(tb[NFTA_SYNPROXY_FLAGS])); + e->flags |= (1 << NFTNL_EXPR_SYNPROXY_FLAGS); + } + + return 0; +} + +static int nftnl_expr_synproxy_snprintf_default(char *buf, size_t size, + const struct nftnl_expr *e) +{ + struct nftnl_expr_synproxy *synproxy = nftnl_expr_data(e); + int ret, offset = 0, len = size; + + if (e->flags & (1 << NFTNL_EXPR_SYNPROXY_MSS) && + e->flags & (1 << NFTNL_EXPR_SYNPROXY_WSCALE)) { + ret = snprintf(buf, len, "mss %u wscale %u ", synproxy->mss, + synproxy->wscale); + SNPRINTF_BUFFER_SIZE(ret, len, offset); + } + + return offset; +} + +static int +nftnl_expr_synproxy_snprintf(char *buf, size_t len, uint32_t type, + uint32_t flags, const struct nftnl_expr *e) +{ + switch(type) { + case NFTNL_OUTPUT_DEFAULT: + return nftnl_expr_synproxy_snprintf_default(buf, len, e); + case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: + default: + break; + } + return -1; +} + +struct expr_ops expr_ops_synproxy = { + .name = "synproxy", + .alloc_len = sizeof(struct nftnl_expr_synproxy), + .max_attr = NFTA_SYNPROXY_MAX, + .set = nftnl_expr_synproxy_set, + .get = nftnl_expr_synproxy_get, + .parse = nftnl_expr_synproxy_parse, + .build = nftnl_expr_synproxy_build, + .snprintf = nftnl_expr_synproxy_snprintf, +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/expr_ops.c new/libnftnl-1.1.4/src/expr_ops.c --- old/libnftnl-1.1.3/src/expr_ops.c 2019-05-27 13:52:31.664824514 +0200 +++ new/libnftnl-1.1.4/src/expr_ops.c 2019-08-19 11:18:14.315010142 +0200 @@ -37,6 +37,7 @@ extern struct expr_ops expr_ops_fib; extern struct expr_ops expr_ops_flow; extern struct expr_ops expr_ops_socket; +extern struct expr_ops expr_ops_synproxy; extern struct expr_ops expr_ops_tunnel; extern struct expr_ops expr_ops_osf; extern struct expr_ops expr_ops_xfrm; @@ -80,6 +81,7 @@ &expr_ops_objref, &expr_ops_flow, &expr_ops_socket, + &expr_ops_synproxy, &expr_ops_tunnel, &expr_ops_osf, &expr_ops_xfrm, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/obj/ct_expect.c new/libnftnl-1.1.4/src/obj/ct_expect.c --- old/libnftnl-1.1.3/src/obj/ct_expect.c 1970-01-01 01:00:00.000000000 +0100 +++ new/libnftnl-1.1.4/src/obj/ct_expect.c 2019-08-19 11:18:14.315010142 +0200 @@ -0,0 +1,213 @@ +/* + * (C) 2019 by Stéphane Veyret <[email protected]> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <arpa/inet.h> +#include <errno.h> + +#include <libmnl/libmnl.h> + +#include "obj.h" + +static int nftnl_obj_ct_expect_set(struct nftnl_obj *e, uint16_t type, + const void *data, uint32_t data_len) +{ + struct nftnl_obj_ct_expect *exp = nftnl_obj_data(e); + + switch (type) { + case NFTNL_OBJ_CT_EXPECT_L3PROTO: + memcpy(&exp->l3proto, data, sizeof(exp->l3proto)); + break; + case NFTNL_OBJ_CT_EXPECT_L4PROTO: + memcpy(&exp->l4proto, data, sizeof(exp->l4proto)); + break; + case NFTNL_OBJ_CT_EXPECT_DPORT: + memcpy(&exp->dport, data, sizeof(exp->dport)); + break; + case NFTNL_OBJ_CT_EXPECT_TIMEOUT: + memcpy(&exp->timeout, data, sizeof(exp->timeout)); + break; + case NFTNL_OBJ_CT_EXPECT_SIZE: + memcpy(&exp->size, data, sizeof(exp->size)); + break; + default: + return -1; + } + return 0; +} + +static const void *nftnl_obj_ct_expect_get(const struct nftnl_obj *e, + uint16_t type, uint32_t *data_len) +{ + struct nftnl_obj_ct_expect *exp = nftnl_obj_data(e); + + switch (type) { + case NFTNL_OBJ_CT_EXPECT_L3PROTO: + *data_len = sizeof(exp->l3proto); + return &exp->l3proto; + case NFTNL_OBJ_CT_EXPECT_L4PROTO: + *data_len = sizeof(exp->l4proto); + return &exp->l4proto; + case NFTNL_OBJ_CT_EXPECT_DPORT: + *data_len = sizeof(exp->dport); + return &exp->dport; + case NFTNL_OBJ_CT_EXPECT_TIMEOUT: + *data_len = sizeof(exp->timeout); + return &exp->timeout; + case NFTNL_OBJ_CT_EXPECT_SIZE: + *data_len = sizeof(exp->size); + return &exp->size; + } + return NULL; +} + +static int nftnl_obj_ct_expect_cb(const struct nlattr *attr, void *data) +{ + int type = mnl_attr_get_type(attr); + const struct nlattr **tb = data; + + if (mnl_attr_type_valid(attr, NFTA_CT_EXPECT_MAX) < 0) + return MNL_CB_OK; + + switch (type) { + case NFTA_CT_EXPECT_L3PROTO: + if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0) + abi_breakage(); + break; + case NFTA_CT_EXPECT_L4PROTO: + if (mnl_attr_validate(attr, MNL_TYPE_U8) < 0) + abi_breakage(); + break; + case NFTA_CT_EXPECT_DPORT: + if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0) + abi_breakage(); + break; + case NFTA_CT_EXPECT_TIMEOUT: + if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) + abi_breakage(); + break; + case NFTA_CT_EXPECT_SIZE: + if (mnl_attr_validate(attr, MNL_TYPE_U8) < 0) + abi_breakage(); + break; + } + + tb[type] = attr; + return MNL_CB_OK; +} + +static void +nftnl_obj_ct_expect_build(struct nlmsghdr *nlh, const struct nftnl_obj *e) +{ + struct nftnl_obj_ct_expect *exp = nftnl_obj_data(e); + + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_L3PROTO)) + mnl_attr_put_u16(nlh, NFTA_CT_EXPECT_L3PROTO, htons(exp->l3proto)); + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_L4PROTO)) + mnl_attr_put_u8(nlh, NFTA_CT_EXPECT_L4PROTO, exp->l4proto); + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_DPORT)) + mnl_attr_put_u16(nlh, NFTA_CT_EXPECT_DPORT, htons(exp->dport)); + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_TIMEOUT)) + mnl_attr_put_u32(nlh, NFTA_CT_EXPECT_TIMEOUT, exp->timeout); + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_SIZE)) + mnl_attr_put_u8(nlh, NFTA_CT_EXPECT_SIZE, exp->size); +} + +static int +nftnl_obj_ct_expect_parse(struct nftnl_obj *e, struct nlattr *attr) +{ + struct nftnl_obj_ct_expect *exp = nftnl_obj_data(e); + struct nlattr *tb[NFTA_CT_EXPECT_MAX + 1] = {}; + + if (mnl_attr_parse_nested(attr, nftnl_obj_ct_expect_cb, tb) < 0) + return -1; + + if (tb[NFTA_CT_EXPECT_L3PROTO]) { + exp->l3proto = ntohs(mnl_attr_get_u16(tb[NFTA_CT_EXPECT_L3PROTO])); + e->flags |= (1 << NFTNL_OBJ_CT_EXPECT_L3PROTO); + } + if (tb[NFTA_CT_EXPECT_L4PROTO]) { + exp->l4proto = mnl_attr_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]); + e->flags |= (1 << NFTNL_OBJ_CT_EXPECT_L4PROTO); + } + if (tb[NFTA_CT_EXPECT_DPORT]) { + exp->dport = ntohs(mnl_attr_get_u16(tb[NFTA_CT_EXPECT_DPORT])); + e->flags |= (1 << NFTNL_OBJ_CT_EXPECT_DPORT); + } + if (tb[NFTA_CT_EXPECT_TIMEOUT]) { + exp->timeout = mnl_attr_get_u32(tb[NFTA_CT_EXPECT_TIMEOUT]); + e->flags |= (1 << NFTNL_OBJ_CT_EXPECT_TIMEOUT); + } + if (tb[NFTA_CT_EXPECT_SIZE]) { + exp->size = mnl_attr_get_u8(tb[NFTA_CT_EXPECT_SIZE]); + e->flags |= (1 << NFTNL_OBJ_CT_EXPECT_SIZE); + } + + return 0; +} + +static int nftnl_obj_ct_expect_snprintf_default(char *buf, size_t len, + const struct nftnl_obj *e) +{ + int ret = 0; + int offset = 0, remain = len; + struct nftnl_obj_ct_expect *exp = nftnl_obj_data(e); + + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_L3PROTO)) { + ret = snprintf(buf + offset, len, "family %d ", exp->l3proto); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + } + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_L4PROTO)) { + ret = snprintf(buf + offset, len, "protocol %d ", exp->l4proto); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + } + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_DPORT)) { + ret = snprintf(buf + offset, len, "dport %d ", exp->dport); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + } + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_TIMEOUT)) { + ret = snprintf(buf + offset, len, "timeout %d ", exp->timeout); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + } + if (e->flags & (1 << NFTNL_OBJ_CT_EXPECT_SIZE)) { + ret = snprintf(buf + offset, len, "size %d ", exp->size); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + } + + buf[offset] = '\0'; + return offset; +} + +static int nftnl_obj_ct_expect_snprintf(char *buf, size_t len, uint32_t type, + uint32_t flags, + const struct nftnl_obj *e) +{ + if (len) + buf[0] = '\0'; + + switch (type) { + case NFTNL_OUTPUT_DEFAULT: + return nftnl_obj_ct_expect_snprintf_default(buf, len, e); + case NFTNL_OUTPUT_JSON: + default: + break; + } + return -1; +} + +struct obj_ops obj_ops_ct_expect = { + .name = "ct_expect", + .type = NFT_OBJECT_CT_EXPECT, + .alloc_len = sizeof(struct nftnl_obj_ct_expect), + .max_attr = NFTA_CT_EXPECT_MAX, + .set = nftnl_obj_ct_expect_set, + .get = nftnl_obj_ct_expect_get, + .parse = nftnl_obj_ct_expect_parse, + .build = nftnl_obj_ct_expect_build, + .snprintf = nftnl_obj_ct_expect_snprintf, +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/object.c new/libnftnl-1.1.4/src/object.c --- old/libnftnl-1.1.3/src/object.c 2019-05-27 13:52:31.664824514 +0200 +++ new/libnftnl-1.1.4/src/object.c 2019-08-19 11:18:14.315010142 +0200 @@ -33,6 +33,7 @@ [NFT_OBJECT_TUNNEL] = &obj_ops_tunnel, [NFT_OBJECT_CT_TIMEOUT] = &obj_ops_ct_timeout, [NFT_OBJECT_SECMARK] = &obj_ops_secmark, + [NFT_OBJECT_CT_EXPECT] = &obj_ops_ct_expect, }; static struct obj_ops *nftnl_obj_ops_lookup(uint32_t type) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/set_elem.c new/libnftnl-1.1.4/src/set_elem.c --- old/libnftnl-1.1.3/src/set_elem.c 2019-05-27 13:52:31.664824514 +0200 +++ new/libnftnl-1.1.4/src/set_elem.c 2019-08-19 11:18:14.315010142 +0200 @@ -126,6 +126,9 @@ case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */ memcpy(&s->timeout, data, sizeof(s->timeout)); break; + case NFTNL_SET_ELEM_EXPIRATION: /* NFTA_SET_ELEM_EXPIRATION */ + memcpy(&s->expiration, data, sizeof(s->expiration)); + break; case NFTNL_SET_ELEM_USERDATA: /* NFTA_SET_ELEM_USERDATA */ if (s->flags & (1 << NFTNL_SET_ELEM_USERDATA)) xfree(s->user.data); @@ -265,6 +268,8 @@ mnl_attr_put_u32(nlh, NFTA_SET_ELEM_FLAGS, htonl(e->set_elem_flags)); if (e->flags & (1 << NFTNL_SET_ELEM_TIMEOUT)) mnl_attr_put_u64(nlh, NFTA_SET_ELEM_TIMEOUT, htobe64(e->timeout)); + if (e->flags & (1 << NFTNL_SET_ELEM_EXPIRATION)) + mnl_attr_put_u64(nlh, NFTA_SET_ELEM_EXPIRATION, htobe64(e->expiration)); if (e->flags & (1 << NFTNL_SET_ELEM_KEY)) { struct nlattr *nest1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libnftnl-1.1.3/src/udata.c new/libnftnl-1.1.4/src/udata.c --- old/libnftnl-1.1.3/src/udata.c 2019-05-27 13:52:31.664824514 +0200 +++ new/libnftnl-1.1.4/src/udata.c 2019-08-19 11:18:14.315010142 +0200 @@ -122,9 +122,11 @@ EXPORT_SYMBOL(nftnl_udata_get_u32); uint32_t nftnl_udata_get_u32(const struct nftnl_udata *attr) { - uint32_t *data = (uint32_t *)attr->value; + uint32_t data; - return *data; + memcpy(&data, attr->value, sizeof(data)); + + return data; } EXPORT_SYMBOL(nftnl_udata_next);
