From 41016892b7fd7eef95be2c538142273333561059 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 5 Sep 2024 03:38:25 +0300 Subject: [PATCH] import libnftnl-1.2.6-4.el9_4 --- .gitignore | 2 +- .libnftnl.metadata | 2 +- ...e-free-d-expr_list-elements-in-place.patch | 77 ++ ...ffer-overflows-in-data-value-setters.patch | 144 +++ ...flow-in-NFTNL_SET_DESC_CONCAT-setter.patch | 46 + ...nl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch | 60 ++ ...etter-checks-for-timeout-array-bound.patch | 72 ++ ...rect-userdata-buffer-size-validation.patch | 51 + ...rpose-struct-expr_ops-max_attr-field.patch | 872 +++++++++++++++ ...l-expr_ops-set-with-legal-types-only.patch | 503 +++++++++ ...de-Sync-nf_log.h-with-kernel-headers.patch | 39 + ...ntroduce-struct-expr_ops-attr_policy.patch | 989 ++++++++++++++++++ ...r_policy-compliance-in-nftnl_expr_se.patch | 48 + ...2-chain-Validate-NFTNL_CHAIN_USE-too.patch | 34 + ...3-table-Validate-NFTNL_TABLE_USE-too.patch | 34 + ...le-Validate-NFTNL_FLOWTABLE_SIZE-too.patch | 34 + ...0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch | 34 + .../0016-set-Validate-NFTNL_SET_ID-too.patch | 34 + ...table-Validate-NFTNL_TABLE_OWNER-too.patch | 34 + ...nftnl_obj_set_data-with-zero-data_le.patch | 38 + ...-memcpy-to-handle-potentially-unalig.patch | 47 + ...ong-variable-use-in-nftnl_assert_val.patch | 49 + ...021-object-getters-take-const-struct.patch | 116 ++ .../0022-obj-Return-value-on-setters.patch | 157 +++ ...urpose-struct-obj_ops-max_attr-field.patch | 234 +++++ ...j_ops-set-with-legal-attributes-only.patch | 168 +++ ...Introduce-struct-obj_ops-attr_policy.patch | 272 +++++ ..._policy-compliance-in-nftnl_obj_set_.patch | 43 + ...Introduce-and-use-nftnl_set_str_attr.patch | 251 +++++ ...ect-data_len-when-setting-attributes.patch | 234 +++++ ...ect-data_len-when-setting-attributes.patch | 968 +++++++++++++++++ SOURCES/0030-tests-Fix-objref-test-case.patch | 38 + SPECS/libnftnl.spec | 104 +- 33 files changed, 5809 insertions(+), 19 deletions(-) create mode 100644 SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch create mode 100644 SOURCES/0002-expr-fix-buffer-overflows-in-data-value-setters.patch create mode 100644 SOURCES/0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch create mode 100644 SOURCES/0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch create mode 100644 SOURCES/0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch create mode 100644 SOURCES/0006-udata-incorrect-userdata-buffer-size-validation.patch create mode 100644 SOURCES/0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch create mode 100644 SOURCES/0008-expr-Call-expr_ops-set-with-legal-types-only.patch create mode 100644 SOURCES/0009-include-Sync-nf_log.h-with-kernel-headers.patch create mode 100644 SOURCES/0010-expr-Introduce-struct-expr_ops-attr_policy.patch create mode 100644 SOURCES/0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch create mode 100644 SOURCES/0012-chain-Validate-NFTNL_CHAIN_USE-too.patch create mode 100644 SOURCES/0013-table-Validate-NFTNL_TABLE_USE-too.patch create mode 100644 SOURCES/0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch create mode 100644 SOURCES/0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch create mode 100644 SOURCES/0016-set-Validate-NFTNL_SET_ID-too.patch create mode 100644 SOURCES/0017-table-Validate-NFTNL_TABLE_OWNER-too.patch create mode 100644 SOURCES/0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch create mode 100644 SOURCES/0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch create mode 100644 SOURCES/0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch create mode 100644 SOURCES/0021-object-getters-take-const-struct.patch create mode 100644 SOURCES/0022-obj-Return-value-on-setters.patch create mode 100644 SOURCES/0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch create mode 100644 SOURCES/0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch create mode 100644 SOURCES/0025-obj-Introduce-struct-obj_ops-attr_policy.patch create mode 100644 SOURCES/0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch create mode 100644 SOURCES/0027-utils-Introduce-and-use-nftnl_set_str_attr.patch create mode 100644 SOURCES/0028-obj-Respect-data_len-when-setting-attributes.patch create mode 100644 SOURCES/0029-expr-Respect-data_len-when-setting-attributes.patch create mode 100644 SOURCES/0030-tests-Fix-objref-test-case.patch diff --git a/.gitignore b/.gitignore index 7eb7ab6..852d249 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libnftnl-1.2.2.tar.bz2 +SOURCES/libnftnl-1.2.6.tar.xz diff --git a/.libnftnl.metadata b/.libnftnl.metadata index 816807c..211f019 100644 --- a/.libnftnl.metadata +++ b/.libnftnl.metadata @@ -1 +1 @@ -a43773c5569d6a80cd94add256bef4dd63dd7571 SOURCES/libnftnl-1.2.2.tar.bz2 +aba10d5003a851fe08685df1d4ff7b60500122d0 SOURCES/libnftnl-1.2.6.tar.xz diff --git a/SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch b/SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch new file mode 100644 index 0000000..de444b8 --- /dev/null +++ b/SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch @@ -0,0 +1,77 @@ +From 64b18b08a4c7ff6baeca536100e34aacbbafa7f3 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 26 Oct 2023 18:05:02 +0200 +Subject: [PATCH] set: Do not leave free'd expr_list elements in place + +JIRA: https://issues.redhat.com/browse/RHEL-14149 +Upstream Status: libnftnl commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9 + +commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9 +Author: Phil Sutter +Date: Wed May 31 14:09:09 2023 +0200 + + set: Do not leave free'd expr_list elements in place + + When freeing elements, remove them also to prevent a potential UAF. + + Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685 + Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/set.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/src/set.c b/src/set.c +index c46f827..719e596 100644 +--- a/src/set.c ++++ b/src/set.c +@@ -54,8 +54,10 @@ void nftnl_set_free(const struct nftnl_set *s) + if (s->flags & (1 << NFTNL_SET_USERDATA)) + xfree(s->user.data); + +- list_for_each_entry_safe(expr, next, &s->expr_list, head) ++ list_for_each_entry_safe(expr, next, &s->expr_list, head) { ++ list_del(&expr->head); + nftnl_expr_free(expr); ++ } + + list_for_each_entry_safe(elem, tmp, &s->element_list, head) { + list_del(&elem->head); +@@ -105,8 +107,10 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr) + break; + case NFTNL_SET_EXPR: + case NFTNL_SET_EXPRESSIONS: +- list_for_each_entry_safe(expr, tmp, &s->expr_list, head) ++ list_for_each_entry_safe(expr, tmp, &s->expr_list, head) { ++ list_del(&expr->head); + nftnl_expr_free(expr); ++ } + break; + default: + return; +@@ -210,8 +214,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, + s->user.len = data_len; + break; + case NFTNL_SET_EXPR: +- list_for_each_entry_safe(expr, tmp, &s->expr_list, head) ++ list_for_each_entry_safe(expr, tmp, &s->expr_list, head) { ++ list_del(&expr->head); + nftnl_expr_free(expr); ++ } + + expr = (void *)data; + list_add(&expr->head, &s->expr_list); +@@ -742,8 +748,10 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) + + return 0; + out_set_expr: +- list_for_each_entry_safe(expr, next, &s->expr_list, head) ++ list_for_each_entry_safe(expr, next, &s->expr_list, head) { ++ list_del(&expr->head); + nftnl_expr_free(expr); ++ } + + return -1; + } diff --git a/SOURCES/0002-expr-fix-buffer-overflows-in-data-value-setters.patch b/SOURCES/0002-expr-fix-buffer-overflows-in-data-value-setters.patch new file mode 100644 index 0000000..2b5a912 --- /dev/null +++ b/SOURCES/0002-expr-fix-buffer-overflows-in-data-value-setters.patch @@ -0,0 +1,144 @@ +From b88949c0d64c96683e581cbefada07de4c83eff9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] expr: fix buffer overflows in data value setters + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit bc2afbde9eae491bcef23ef5b24b25c7605ad911 + +commit bc2afbde9eae491bcef23ef5b24b25c7605ad911 +Author: Florian Westphal +Date: Tue Dec 12 15:01:17 2023 +0100 + + expr: fix buffer overflows in data value setters + + The data value setters memcpy() to a fixed-size buffer, but its very easy + to make nft pass too-larger values. Example: + @th,160,1272 gt 0 + + ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..] + + Truncate the copy instead of corrupting the heap. + This needs additional fixes on nft side to reject such statements with a + proper error message. + + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + include/data_reg.h | 2 ++ + src/expr/bitwise.c | 12 +++--------- + src/expr/cmp.c | 4 +--- + src/expr/data_reg.c | 14 ++++++++++++++ + src/expr/immediate.c | 4 +--- + src/expr/range.c | 8 ++------ + 6 files changed, 23 insertions(+), 21 deletions(-) + +diff --git a/include/data_reg.h b/include/data_reg.h +index 6d2dc66..5ee7080 100644 +--- a/include/data_reg.h ++++ b/include/data_reg.h +@@ -37,4 +37,6 @@ struct nlattr; + int nftnl_parse_data(union nftnl_data_reg *data, struct nlattr *attr, int *type); + void nftnl_free_verdict(const union nftnl_data_reg *data); + ++int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len); ++ + #endif +diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c +index 2d27233..e5dba82 100644 +--- a/src/expr/bitwise.c ++++ b/src/expr/bitwise.c +@@ -51,17 +51,11 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type, + memcpy(&bitwise->len, data, sizeof(bitwise->len)); + break; + case NFTNL_EXPR_BITWISE_MASK: +- memcpy(&bitwise->mask.val, data, data_len); +- bitwise->mask.len = data_len; +- break; ++ return nftnl_data_cpy(&bitwise->mask, data, data_len); + case NFTNL_EXPR_BITWISE_XOR: +- memcpy(&bitwise->xor.val, data, data_len); +- bitwise->xor.len = data_len; +- break; ++ return nftnl_data_cpy(&bitwise->xor, data, data_len); + case NFTNL_EXPR_BITWISE_DATA: +- memcpy(&bitwise->data.val, data, data_len); +- bitwise->data.len = data_len; +- break; ++ return nftnl_data_cpy(&bitwise->data, data, data_len); + default: + return -1; + } +diff --git a/src/expr/cmp.c b/src/expr/cmp.c +index f9d15bb..1d396e8 100644 +--- a/src/expr/cmp.c ++++ b/src/expr/cmp.c +@@ -42,9 +42,7 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type, + memcpy(&cmp->op, data, sizeof(cmp->op)); + break; + case NFTNL_EXPR_CMP_DATA: +- memcpy(&cmp->data.val, data, data_len); +- cmp->data.len = data_len; +- break; ++ return nftnl_data_cpy(&cmp->data, data, data_len); + default: + return -1; + } +diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c +index 2633a77..690b23d 100644 +--- a/src/expr/data_reg.c ++++ b/src/expr/data_reg.c +@@ -217,3 +217,17 @@ void nftnl_free_verdict(const union nftnl_data_reg *data) + break; + } + } ++ ++int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len) ++{ ++ int ret = 0; ++ ++ if (len > sizeof(dreg->val)) { ++ len = sizeof(dreg->val); ++ ret = -1; ++ } ++ ++ memcpy(dreg->val, src, len); ++ dreg->len = len; ++ return ret; ++} +diff --git a/src/expr/immediate.c b/src/expr/immediate.c +index 5d477a8..f56aa8f 100644 +--- a/src/expr/immediate.c ++++ b/src/expr/immediate.c +@@ -36,9 +36,7 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, + memcpy(&imm->dreg, data, sizeof(imm->dreg)); + break; + case NFTNL_EXPR_IMM_DATA: +- memcpy(&imm->data.val, data, data_len); +- imm->data.len = data_len; +- break; ++ return nftnl_data_cpy(&imm->data, data, data_len); + case NFTNL_EXPR_IMM_VERDICT: + memcpy(&imm->data.verdict, data, sizeof(imm->data.verdict)); + break; +diff --git a/src/expr/range.c b/src/expr/range.c +index 473add8..5a30e48 100644 +--- a/src/expr/range.c ++++ b/src/expr/range.c +@@ -40,13 +40,9 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type, + memcpy(&range->op, data, sizeof(range->op)); + break; + case NFTNL_EXPR_RANGE_FROM_DATA: +- memcpy(&range->data_from.val, data, data_len); +- range->data_from.len = data_len; +- break; ++ return nftnl_data_cpy(&range->data_from, data, data_len); + case NFTNL_EXPR_RANGE_TO_DATA: +- memcpy(&range->data_to.val, data, data_len); +- range->data_to.len = data_len; +- break; ++ return nftnl_data_cpy(&range->data_to, data, data_len); + default: + return -1; + } diff --git a/SOURCES/0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch b/SOURCES/0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch new file mode 100644 index 0000000..71799d2 --- /dev/null +++ b/SOURCES/0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch @@ -0,0 +1,46 @@ +From 0d1d0bc545fdf355e19556153c3bb50d3bca29af Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 407f616ea53184ac3bfb9930d3f27ae1cff9c348 + +commit 407f616ea53184ac3bfb9930d3f27ae1cff9c348 +Author: Pablo Neira Ayuso +Date: Thu Jan 11 01:13:37 2024 +0100 + + set: buffer overflow in NFTNL_SET_DESC_CONCAT setter + + Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16 + bytes, otherwise, bail out. Ensure s->desc.field_count does not go over + the array boundary. + + Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes") + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + src/set.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/set.c b/src/set.c +index 719e596..b51ff9e 100644 +--- a/src/set.c ++++ b/src/set.c +@@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, + memcpy(&s->desc.size, data, sizeof(s->desc.size)); + break; + case NFTNL_SET_DESC_CONCAT: ++ if (data_len > sizeof(s->desc.field_len)) ++ return -1; ++ + memcpy(&s->desc.field_len, data, data_len); +- while (s->desc.field_len[++s->desc.field_count]); ++ while (s->desc.field_len[++s->desc.field_count]) { ++ if (s->desc.field_count >= NFT_REG32_COUNT) ++ break; ++ } + break; + case NFTNL_SET_TIMEOUT: + memcpy(&s->timeout, data, sizeof(s->timeout)); diff --git a/SOURCES/0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch b/SOURCES/0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch new file mode 100644 index 0000000..1c4df05 --- /dev/null +++ b/SOURCES/0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch @@ -0,0 +1,60 @@ +From aecf2107e075bc45e584badf1c67c0badfd116a5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] set_elem: use nftnl_data_cpy() in + NFTNL_SET_ELEM_{KEY,KEY_END,DATA} + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 974af82c0bb0bc5958ccd759bd3a0f2bddbc8d83 + +commit 974af82c0bb0bc5958ccd759bd3a0f2bddbc8d83 +Author: Pablo Neira Ayuso +Date: Fri Jan 12 12:33:38 2024 +0100 + + set_elem: use nftnl_data_cpy() in NFTNL_SET_ELEM_{KEY,KEY_END,DATA} + + Use safe nftnl_data_cpy() to copy key into union nftnl_data_reg. + + Follow up for commit: + + bc2afbde9eae ("expr: fix buffer overflows in data value setters") + + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + src/set_elem.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/set_elem.c b/src/set_elem.c +index 884faff..9207a0d 100644 +--- a/src/set_elem.c ++++ b/src/set_elem.c +@@ -126,12 +126,12 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, + memcpy(&s->set_elem_flags, data, sizeof(s->set_elem_flags)); + break; + case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */ +- memcpy(&s->key.val, data, data_len); +- s->key.len = data_len; ++ if (nftnl_data_cpy(&s->key, data, data_len) < 0) ++ return -1; + break; + case NFTNL_SET_ELEM_KEY_END: /* NFTA_SET_ELEM_KEY_END */ +- memcpy(&s->key_end.val, data, data_len); +- s->key_end.len = data_len; ++ if (nftnl_data_cpy(&s->key_end, data, data_len) < 0) ++ return -1; + break; + case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */ + memcpy(&s->data.verdict, data, sizeof(s->data.verdict)); +@@ -145,8 +145,8 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, + return -1; + break; + case NFTNL_SET_ELEM_DATA: /* NFTA_SET_ELEM_DATA */ +- memcpy(s->data.val, data, data_len); +- s->data.len = data_len; ++ if (nftnl_data_cpy(&s->data, data, data_len) < 0) ++ return -1; + break; + case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */ + memcpy(&s->timeout, data, sizeof(s->timeout)); diff --git a/SOURCES/0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch b/SOURCES/0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch new file mode 100644 index 0000000..d806536 --- /dev/null +++ b/SOURCES/0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch @@ -0,0 +1,72 @@ +From ec6136e9d14c36daf6c59fc99c051ed3ac4cd0f2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] obj: ct_timeout: setter checks for timeout array boundaries + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 7e6a10e4a57aaf72c74c21d2ed7d2be8289d0f6f + +commit 7e6a10e4a57aaf72c74c21d2ed7d2be8289d0f6f +Author: Pablo Neira Ayuso +Date: Thu Jan 25 17:34:40 2024 +0100 + + obj: ct_timeout: setter checks for timeout array boundaries + + Use _MAX definitions for timeout attribute arrays and check that + timeout array is not larger than NFTNL_CTTIMEOUT_ARRAY_MAX. + + Fixes: 0adceeab1597 ("src: add ct timeout support") + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + src/obj/ct_timeout.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c +index 65b48bd..fedf9e3 100644 +--- a/src/obj/ct_timeout.c ++++ b/src/obj/ct_timeout.c +@@ -21,7 +21,7 @@ + + #include "obj.h" + +-static const char *const tcp_state_to_name[] = { ++static const char *const tcp_state_to_name[NFTNL_CTTIMEOUT_TCP_MAX] = { + [NFTNL_CTTIMEOUT_TCP_SYN_SENT] = "SYN_SENT", + [NFTNL_CTTIMEOUT_TCP_SYN_RECV] = "SYN_RECV", + [NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = "ESTABLISHED", +@@ -35,7 +35,7 @@ static const char *const tcp_state_to_name[] = { + [NFTNL_CTTIMEOUT_TCP_UNACK] = "UNACKNOWLEDGED", + }; + +-static uint32_t tcp_dflt_timeout[] = { ++static uint32_t tcp_dflt_timeout[NFTNL_CTTIMEOUT_TCP_MAX] = { + [NFTNL_CTTIMEOUT_TCP_SYN_SENT] = 120, + [NFTNL_CTTIMEOUT_TCP_SYN_RECV] = 60, + [NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = 432000, +@@ -49,12 +49,12 @@ static uint32_t tcp_dflt_timeout[] = { + [NFTNL_CTTIMEOUT_TCP_UNACK] = 300, + }; + +-static const char *const udp_state_to_name[] = { ++static const char *const udp_state_to_name[NFTNL_CTTIMEOUT_UDP_MAX] = { + [NFTNL_CTTIMEOUT_UDP_UNREPLIED] = "UNREPLIED", + [NFTNL_CTTIMEOUT_UDP_REPLIED] = "REPLIED", + }; + +-static uint32_t udp_dflt_timeout[] = { ++static uint32_t udp_dflt_timeout[NFTNL_CTTIMEOUT_UDP_MAX] = { + [NFTNL_CTTIMEOUT_UDP_UNREPLIED] = 30, + [NFTNL_CTTIMEOUT_UDP_REPLIED] = 180, + }; +@@ -156,6 +156,9 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type, + memcpy(&timeout->l4proto, data, sizeof(timeout->l4proto)); + break; + case NFTNL_OBJ_CT_TIMEOUT_ARRAY: ++ if (data_len < sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX) ++ return -1; ++ + memcpy(timeout->timeout, data, + sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX); + break; diff --git a/SOURCES/0006-udata-incorrect-userdata-buffer-size-validation.patch b/SOURCES/0006-udata-incorrect-userdata-buffer-size-validation.patch new file mode 100644 index 0000000..2a31267 --- /dev/null +++ b/SOURCES/0006-udata-incorrect-userdata-buffer-size-validation.patch @@ -0,0 +1,51 @@ +From f0cae2477f6e2292f315c1480c4a08d811dcb977 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] udata: incorrect userdata buffer size validation + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit a4bcdfa6200ef1945a8f936a4474b59666c8dcca + +commit a4bcdfa6200ef1945a8f936a4474b59666c8dcca +Author: Pablo Neira Ayuso +Date: Mon Feb 26 17:31:19 2024 +0100 + + udata: incorrect userdata buffer size validation + + Use the current remaining space in the buffer to ensure more userdata + attributes still fit in, buf->size is the total size of the userdata + buffer. + + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + src/udata.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/udata.c b/src/udata.c +index 0cc3520..e9bfc35 100644 +--- a/src/udata.c ++++ b/src/udata.c +@@ -42,6 +42,11 @@ uint32_t nftnl_udata_buf_len(const struct nftnl_udata_buf *buf) + return (uint32_t)(buf->end - buf->data); + } + ++static uint32_t nftnl_udata_buf_space(const struct nftnl_udata_buf *buf) ++{ ++ return buf->size - nftnl_udata_buf_len(buf); ++} ++ + EXPORT_SYMBOL(nftnl_udata_buf_data); + void *nftnl_udata_buf_data(const struct nftnl_udata_buf *buf) + { +@@ -74,7 +79,8 @@ bool nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len, + { + struct nftnl_udata *attr; + +- if (len > UINT8_MAX || buf->size < len + sizeof(struct nftnl_udata)) ++ if (len > UINT8_MAX || ++ nftnl_udata_buf_space(buf) < len + sizeof(struct nftnl_udata)) + return false; + + attr = (struct nftnl_udata *)buf->end; diff --git a/SOURCES/0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch b/SOURCES/0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch new file mode 100644 index 0000000..8b8f49b --- /dev/null +++ b/SOURCES/0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch @@ -0,0 +1,872 @@ +From d131ee36bcd2ff923f8678bea6f8bc6dfe6da7bb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] expr: Repurpose struct expr_ops::max_attr field + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 4ed45d7bbbb9f914c934af327ee0271bcc909302 + +commit 4ed45d7bbbb9f914c934af327ee0271bcc909302 +Author: Phil Sutter +Date: Wed Dec 13 14:56:49 2023 +0100 + + expr: Repurpose struct expr_ops::max_attr field + + Instead of holding the maximum kernel space (NFTA_*) attribute value, + use it to hold the maximum expression attribute (NFTNL_EXPR_*) value + instead. This will be used for index boundary checks in an attribute + policy array later. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + include/expr_ops.h | 2 +- + include/libnftnl/expr.h | 39 +++++++++++++++++++++++++++++++++++++++ + src/expr/bitwise.c | 2 +- + src/expr/byteorder.c | 2 +- + src/expr/cmp.c | 2 +- + src/expr/connlimit.c | 2 +- + src/expr/counter.c | 2 +- + src/expr/ct.c | 2 +- + src/expr/dup.c | 2 +- + src/expr/dynset.c | 2 +- + src/expr/exthdr.c | 2 +- + src/expr/fib.c | 2 +- + src/expr/flow_offload.c | 2 +- + src/expr/fwd.c | 2 +- + src/expr/hash.c | 2 +- + src/expr/immediate.c | 2 +- + src/expr/inner.c | 2 +- + src/expr/last.c | 2 +- + src/expr/limit.c | 2 +- + src/expr/log.c | 2 +- + src/expr/lookup.c | 2 +- + src/expr/masq.c | 2 +- + src/expr/match.c | 2 +- + src/expr/meta.c | 2 +- + src/expr/nat.c | 2 +- + src/expr/numgen.c | 2 +- + src/expr/objref.c | 2 +- + src/expr/osf.c | 2 +- + src/expr/payload.c | 2 +- + src/expr/queue.c | 2 +- + src/expr/quota.c | 2 +- + src/expr/range.c | 2 +- + src/expr/redir.c | 2 +- + src/expr/reject.c | 2 +- + src/expr/rt.c | 2 +- + src/expr/socket.c | 2 +- + src/expr/synproxy.c | 2 +- + src/expr/target.c | 2 +- + src/expr/tproxy.c | 2 +- + src/expr/tunnel.c | 2 +- + src/expr/xfrm.c | 2 +- + 41 files changed, 79 insertions(+), 40 deletions(-) + +diff --git a/include/expr_ops.h b/include/expr_ops.h +index a7d747a..51b2214 100644 +--- a/include/expr_ops.h ++++ b/include/expr_ops.h +@@ -11,7 +11,7 @@ struct nftnl_expr; + struct expr_ops { + const char *name; + uint32_t alloc_len; +- int max_attr; ++ int nftnl_max_attr; + void (*init)(const struct nftnl_expr *e); + void (*free)(const struct nftnl_expr *e); + int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len); +diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h +index 9873228..fba1210 100644 +--- a/include/libnftnl/expr.h ++++ b/include/libnftnl/expr.h +@@ -56,6 +56,7 @@ enum { + NFTNL_EXPR_PAYLOAD_CSUM_TYPE, + NFTNL_EXPR_PAYLOAD_CSUM_OFFSET, + NFTNL_EXPR_PAYLOAD_FLAGS, ++ __NFTNL_EXPR_PAYLOAD_MAX + }; + + enum { +@@ -65,34 +66,40 @@ enum { + NFTNL_EXPR_NG_OFFSET, + NFTNL_EXPR_NG_SET_NAME, /* deprecated */ + NFTNL_EXPR_NG_SET_ID, /* deprecated */ ++ __NFTNL_EXPR_NG_MAX + }; + + enum { + NFTNL_EXPR_META_KEY = NFTNL_EXPR_BASE, + NFTNL_EXPR_META_DREG, + NFTNL_EXPR_META_SREG, ++ __NFTNL_EXPR_META_MAX + }; + + enum { + NFTNL_EXPR_RT_KEY = NFTNL_EXPR_BASE, + NFTNL_EXPR_RT_DREG, ++ __NFTNL_EXPR_RT_MAX + }; + + enum { + NFTNL_EXPR_SOCKET_KEY = NFTNL_EXPR_BASE, + NFTNL_EXPR_SOCKET_DREG, + NFTNL_EXPR_SOCKET_LEVEL, ++ __NFTNL_EXPR_SOCKET_MAX + }; + + enum { + NFTNL_EXPR_TUNNEL_KEY = NFTNL_EXPR_BASE, + NFTNL_EXPR_TUNNEL_DREG, ++ __NFTNL_EXPR_TUNNEL_MAX + }; + + enum { + NFTNL_EXPR_CMP_SREG = NFTNL_EXPR_BASE, + NFTNL_EXPR_CMP_OP, + NFTNL_EXPR_CMP_DATA, ++ __NFTNL_EXPR_CMP_MAX + }; + + enum { +@@ -100,6 +107,7 @@ enum { + NFTNL_EXPR_RANGE_OP, + NFTNL_EXPR_RANGE_FROM_DATA, + NFTNL_EXPR_RANGE_TO_DATA, ++ __NFTNL_EXPR_RANGE_MAX + }; + + enum { +@@ -108,16 +116,19 @@ enum { + NFTNL_EXPR_IMM_VERDICT, + NFTNL_EXPR_IMM_CHAIN, + NFTNL_EXPR_IMM_CHAIN_ID, ++ __NFTNL_EXPR_IMM_MAX + }; + + enum { + NFTNL_EXPR_CTR_PACKETS = NFTNL_EXPR_BASE, + NFTNL_EXPR_CTR_BYTES, ++ __NFTNL_EXPR_CTR_MAX + }; + + enum { + NFTNL_EXPR_CONNLIMIT_COUNT = NFTNL_EXPR_BASE, + NFTNL_EXPR_CONNLIMIT_FLAGS, ++ __NFTNL_EXPR_CONNLIMIT_MAX + }; + + enum { +@@ -128,18 +139,21 @@ enum { + NFTNL_EXPR_BITWISE_XOR, + NFTNL_EXPR_BITWISE_OP, + NFTNL_EXPR_BITWISE_DATA, ++ __NFTNL_EXPR_BITWISE_MAX + }; + + enum { + NFTNL_EXPR_TG_NAME = NFTNL_EXPR_BASE, + NFTNL_EXPR_TG_REV, + NFTNL_EXPR_TG_INFO, ++ __NFTNL_EXPR_TG_MAX + }; + + enum { + NFTNL_EXPR_MT_NAME = NFTNL_EXPR_BASE, + NFTNL_EXPR_MT_REV, + NFTNL_EXPR_MT_INFO, ++ __NFTNL_EXPR_MT_MAX + }; + + enum { +@@ -150,12 +164,14 @@ enum { + NFTNL_EXPR_NAT_REG_PROTO_MIN, + NFTNL_EXPR_NAT_REG_PROTO_MAX, + NFTNL_EXPR_NAT_FLAGS, ++ __NFTNL_EXPR_NAT_MAX + }; + + enum { + NFTNL_EXPR_TPROXY_FAMILY = NFTNL_EXPR_BASE, + NFTNL_EXPR_TPROXY_REG_ADDR, + NFTNL_EXPR_TPROXY_REG_PORT, ++ __NFTNL_EXPR_TPROXY_MAX + }; + + enum { +@@ -164,6 +180,7 @@ enum { + NFTNL_EXPR_LOOKUP_SET, + NFTNL_EXPR_LOOKUP_SET_ID, + NFTNL_EXPR_LOOKUP_FLAGS, ++ __NFTNL_EXPR_LOOKUP_MAX + }; + + enum { +@@ -176,6 +193,7 @@ enum { + NFTNL_EXPR_DYNSET_EXPR, + NFTNL_EXPR_DYNSET_EXPRESSIONS, + NFTNL_EXPR_DYNSET_FLAGS, ++ __NFTNL_EXPR_DYNSET_MAX + }; + + enum { +@@ -185,6 +203,7 @@ enum { + NFTNL_EXPR_LOG_QTHRESHOLD, + NFTNL_EXPR_LOG_LEVEL, + NFTNL_EXPR_LOG_FLAGS, ++ __NFTNL_EXPR_LOG_MAX + }; + + enum { +@@ -195,6 +214,7 @@ enum { + NFTNL_EXPR_EXTHDR_FLAGS, + NFTNL_EXPR_EXTHDR_OP, + NFTNL_EXPR_EXTHDR_SREG, ++ __NFTNL_EXPR_EXTHDR_MAX + }; + + enum { +@@ -202,6 +222,7 @@ enum { + NFTNL_EXPR_CT_KEY, + NFTNL_EXPR_CT_DIR, + NFTNL_EXPR_CT_SREG, ++ __NFTNL_EXPR_CT_MAX + }; + + enum { +@@ -210,6 +231,7 @@ enum { + NFTNL_EXPR_BYTEORDER_OP, + NFTNL_EXPR_BYTEORDER_LEN, + NFTNL_EXPR_BYTEORDER_SIZE, ++ __NFTNL_EXPR_BYTEORDER_MAX + }; + + enum { +@@ -218,11 +240,13 @@ enum { + NFTNL_EXPR_LIMIT_BURST, + NFTNL_EXPR_LIMIT_TYPE, + NFTNL_EXPR_LIMIT_FLAGS, ++ __NFTNL_EXPR_LIMIT_MAX + }; + + enum { + NFTNL_EXPR_REJECT_TYPE = NFTNL_EXPR_BASE, + NFTNL_EXPR_REJECT_CODE, ++ __NFTNL_EXPR_REJECT_MAX + }; + + enum { +@@ -230,39 +254,46 @@ enum { + NFTNL_EXPR_QUEUE_TOTAL, + NFTNL_EXPR_QUEUE_FLAGS, + NFTNL_EXPR_QUEUE_SREG_QNUM, ++ __NFTNL_EXPR_QUEUE_MAX + }; + + enum { + NFTNL_EXPR_QUOTA_BYTES = NFTNL_EXPR_BASE, + NFTNL_EXPR_QUOTA_FLAGS, + NFTNL_EXPR_QUOTA_CONSUMED, ++ __NFTNL_EXPR_QUOTA_MAX + }; + + enum { + NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE, + NFTNL_EXPR_MASQ_REG_PROTO_MIN, + NFTNL_EXPR_MASQ_REG_PROTO_MAX, ++ __NFTNL_EXPR_MASQ_MAX + }; + + enum { + NFTNL_EXPR_REDIR_REG_PROTO_MIN = NFTNL_EXPR_BASE, + NFTNL_EXPR_REDIR_REG_PROTO_MAX, + NFTNL_EXPR_REDIR_FLAGS, ++ __NFTNL_EXPR_REDIR_MAX + }; + + enum { + NFTNL_EXPR_DUP_SREG_ADDR = NFTNL_EXPR_BASE, + NFTNL_EXPR_DUP_SREG_DEV, ++ __NFTNL_EXPR_DUP_MAX + }; + + enum { + NFTNL_EXPR_FLOW_TABLE_NAME = NFTNL_EXPR_BASE, ++ __NFTNL_EXPR_FLOW_MAX + }; + + enum { + NFTNL_EXPR_FWD_SREG_DEV = NFTNL_EXPR_BASE, + NFTNL_EXPR_FWD_SREG_ADDR, + NFTNL_EXPR_FWD_NFPROTO, ++ __NFTNL_EXPR_FWD_MAX + }; + + enum { +@@ -275,12 +306,14 @@ enum { + NFTNL_EXPR_HASH_TYPE, + NFTNL_EXPR_HASH_SET_NAME, /* deprecated */ + NFTNL_EXPR_HASH_SET_ID, /* deprecated */ ++ __NFTNL_EXPR_HASH_MAX + }; + + enum { + NFTNL_EXPR_FIB_DREG = NFTNL_EXPR_BASE, + NFTNL_EXPR_FIB_RESULT, + NFTNL_EXPR_FIB_FLAGS, ++ __NFTNL_EXPR_FIB_MAX + }; + + enum { +@@ -289,12 +322,14 @@ enum { + NFTNL_EXPR_OBJREF_SET_SREG, + NFTNL_EXPR_OBJREF_SET_NAME, + NFTNL_EXPR_OBJREF_SET_ID, ++ __NFTNL_EXPR_OBJREF_MAX + }; + + enum { + NFTNL_EXPR_OSF_DREG = NFTNL_EXPR_BASE, + NFTNL_EXPR_OSF_TTL, + NFTNL_EXPR_OSF_FLAGS, ++ __NFTNL_EXPR_OSF_MAX + }; + + enum { +@@ -303,17 +338,20 @@ enum { + NFTNL_EXPR_XFRM_KEY, + NFTNL_EXPR_XFRM_DIR, + NFTNL_EXPR_XFRM_SPNUM, ++ __NFTNL_EXPR_XFRM_MAX + }; + + enum { + NFTNL_EXPR_SYNPROXY_MSS = NFTNL_EXPR_BASE, + NFTNL_EXPR_SYNPROXY_WSCALE, + NFTNL_EXPR_SYNPROXY_FLAGS, ++ __NFTNL_EXPR_SYNPROXY_MAX + }; + + enum { + NFTNL_EXPR_LAST_MSECS = NFTNL_EXPR_BASE, + NFTNL_EXPR_LAST_SET, ++ __NFTNL_EXPR_LAST_MAX + }; + + enum { +@@ -321,6 +359,7 @@ enum { + NFTNL_EXPR_INNER_FLAGS, + NFTNL_EXPR_INNER_HDRSIZE, + NFTNL_EXPR_INNER_EXPR, ++ __NFTNL_EXPR_INNER_MAX + }; + + #ifdef __cplusplus +diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c +index e5dba82..69efe1d 100644 +--- a/src/expr/bitwise.c ++++ b/src/expr/bitwise.c +@@ -271,7 +271,7 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size, + struct expr_ops expr_ops_bitwise = { + .name = "bitwise", + .alloc_len = sizeof(struct nftnl_expr_bitwise), +- .max_attr = NFTA_BITWISE_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1, + .set = nftnl_expr_bitwise_set, + .get = nftnl_expr_bitwise_get, + .parse = nftnl_expr_bitwise_parse, +diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c +index 89ed0a8..f05ae59 100644 +--- a/src/expr/byteorder.c ++++ b/src/expr/byteorder.c +@@ -215,7 +215,7 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_byteorder = { + .name = "byteorder", + .alloc_len = sizeof(struct nftnl_expr_byteorder), +- .max_attr = NFTA_BYTEORDER_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1, + .set = nftnl_expr_byteorder_set, + .get = nftnl_expr_byteorder_get, + .parse = nftnl_expr_byteorder_parse, +diff --git a/src/expr/cmp.c b/src/expr/cmp.c +index 1d396e8..40431fa 100644 +--- a/src/expr/cmp.c ++++ b/src/expr/cmp.c +@@ -195,7 +195,7 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_cmp = { + .name = "cmp", + .alloc_len = sizeof(struct nftnl_expr_cmp), +- .max_attr = NFTA_CMP_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1, + .set = nftnl_expr_cmp_set, + .get = nftnl_expr_cmp_get, + .parse = nftnl_expr_cmp_parse, +diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c +index 549417b..3b6c36c 100644 +--- a/src/expr/connlimit.c ++++ b/src/expr/connlimit.c +@@ -130,7 +130,7 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_connlimit = { + .name = "connlimit", + .alloc_len = sizeof(struct nftnl_expr_connlimit), +- .max_attr = NFTA_CONNLIMIT_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1, + .set = nftnl_expr_connlimit_set, + .get = nftnl_expr_connlimit_get, + .parse = nftnl_expr_connlimit_parse, +diff --git a/src/expr/counter.c b/src/expr/counter.c +index d139a5f..0595d50 100644 +--- a/src/expr/counter.c ++++ b/src/expr/counter.c +@@ -128,7 +128,7 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_counter = { + .name = "counter", + .alloc_len = sizeof(struct nftnl_expr_counter), +- .max_attr = NFTA_COUNTER_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1, + .set = nftnl_expr_counter_set, + .get = nftnl_expr_counter_get, + .parse = nftnl_expr_counter_parse, +diff --git a/src/expr/ct.c b/src/expr/ct.c +index f4a2aea..36b61fd 100644 +--- a/src/expr/ct.c ++++ b/src/expr/ct.c +@@ -253,7 +253,7 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_ct = { + .name = "ct", + .alloc_len = sizeof(struct nftnl_expr_ct), +- .max_attr = NFTA_CT_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1, + .set = nftnl_expr_ct_set, + .get = nftnl_expr_ct_get, + .parse = nftnl_expr_ct_parse, +diff --git a/src/expr/dup.c b/src/expr/dup.c +index a239ff3..33731cc 100644 +--- a/src/expr/dup.c ++++ b/src/expr/dup.c +@@ -133,7 +133,7 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_dup = { + .name = "dup", + .alloc_len = sizeof(struct nftnl_expr_dup), +- .max_attr = NFTA_DUP_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1, + .set = nftnl_expr_dup_set, + .get = nftnl_expr_dup_get, + .parse = nftnl_expr_dup_parse, +diff --git a/src/expr/dynset.c b/src/expr/dynset.c +index 5bcf1c6..ee6ce1e 100644 +--- a/src/expr/dynset.c ++++ b/src/expr/dynset.c +@@ -366,7 +366,7 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e) + struct expr_ops expr_ops_dynset = { + .name = "dynset", + .alloc_len = sizeof(struct nftnl_expr_dynset), +- .max_attr = NFTA_DYNSET_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1, + .init = nftnl_expr_dynset_init, + .free = nftnl_expr_dynset_free, + .set = nftnl_expr_dynset_set, +diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c +index 739c7ff..a1227a6 100644 +--- a/src/expr/exthdr.c ++++ b/src/expr/exthdr.c +@@ -262,7 +262,7 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_exthdr = { + .name = "exthdr", + .alloc_len = sizeof(struct nftnl_expr_exthdr), +- .max_attr = NFTA_EXTHDR_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1, + .set = nftnl_expr_exthdr_set, + .get = nftnl_expr_exthdr_get, + .parse = nftnl_expr_exthdr_parse, +diff --git a/src/expr/fib.c b/src/expr/fib.c +index 957f929..36637bd 100644 +--- a/src/expr/fib.c ++++ b/src/expr/fib.c +@@ -193,7 +193,7 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_fib = { + .name = "fib", + .alloc_len = sizeof(struct nftnl_expr_fib), +- .max_attr = NFTA_FIB_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1, + .set = nftnl_expr_fib_set, + .get = nftnl_expr_fib_get, + .parse = nftnl_expr_fib_parse, +diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c +index 4fc0563..f604712 100644 +--- a/src/expr/flow_offload.c ++++ b/src/expr/flow_offload.c +@@ -114,7 +114,7 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e) + struct expr_ops expr_ops_flow = { + .name = "flow_offload", + .alloc_len = sizeof(struct nftnl_expr_flow), +- .max_attr = NFTA_FLOW_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1, + .free = nftnl_expr_flow_free, + .set = nftnl_expr_flow_set, + .get = nftnl_expr_flow_get, +diff --git a/src/expr/fwd.c b/src/expr/fwd.c +index 51f6612..3aaf328 100644 +--- a/src/expr/fwd.c ++++ b/src/expr/fwd.c +@@ -153,7 +153,7 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_fwd = { + .name = "fwd", + .alloc_len = sizeof(struct nftnl_expr_fwd), +- .max_attr = NFTA_FWD_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1, + .set = nftnl_expr_fwd_set, + .get = nftnl_expr_fwd_get, + .parse = nftnl_expr_fwd_parse, +diff --git a/src/expr/hash.c b/src/expr/hash.c +index 6e2dd19..1fc72ec 100644 +--- a/src/expr/hash.c ++++ b/src/expr/hash.c +@@ -221,7 +221,7 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_hash = { + .name = "hash", + .alloc_len = sizeof(struct nftnl_expr_hash), +- .max_attr = NFTA_HASH_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1, + .set = nftnl_expr_hash_set, + .get = nftnl_expr_hash_get, + .parse = nftnl_expr_hash_parse, +diff --git a/src/expr/immediate.c b/src/expr/immediate.c +index f56aa8f..d60ca32 100644 +--- a/src/expr/immediate.c ++++ b/src/expr/immediate.c +@@ -221,7 +221,7 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e) + struct expr_ops expr_ops_immediate = { + .name = "immediate", + .alloc_len = sizeof(struct nftnl_expr_immediate), +- .max_attr = NFTA_IMMEDIATE_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1, + .free = nftnl_expr_immediate_free, + .set = nftnl_expr_immediate_set, + .get = nftnl_expr_immediate_get, +diff --git a/src/expr/inner.c b/src/expr/inner.c +index 7daae4f..cb6f607 100644 +--- a/src/expr/inner.c ++++ b/src/expr/inner.c +@@ -204,7 +204,7 @@ nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags, + struct expr_ops expr_ops_inner = { + .name = "inner", + .alloc_len = sizeof(struct nftnl_expr_inner), +- .max_attr = NFTA_INNER_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1, + .free = nftnl_expr_inner_free, + .set = nftnl_expr_inner_set, + .get = nftnl_expr_inner_get, +diff --git a/src/expr/last.c b/src/expr/last.c +index 641b713..273aaa1 100644 +--- a/src/expr/last.c ++++ b/src/expr/last.c +@@ -129,7 +129,7 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_last = { + .name = "last", + .alloc_len = sizeof(struct nftnl_expr_last), +- .max_attr = NFTA_LAST_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1, + .set = nftnl_expr_last_set, + .get = nftnl_expr_last_get, + .parse = nftnl_expr_last_parse, +diff --git a/src/expr/limit.c b/src/expr/limit.c +index 1870e0e..a1f9eac 100644 +--- a/src/expr/limit.c ++++ b/src/expr/limit.c +@@ -197,7 +197,7 @@ nftnl_expr_limit_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_limit = { + .name = "limit", + .alloc_len = sizeof(struct nftnl_expr_limit), +- .max_attr = NFTA_LIMIT_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1, + .set = nftnl_expr_limit_set, + .get = nftnl_expr_limit_get, + .parse = nftnl_expr_limit_parse, +diff --git a/src/expr/log.c b/src/expr/log.c +index 180d839..6df030d 100644 +--- a/src/expr/log.c ++++ b/src/expr/log.c +@@ -247,7 +247,7 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e) + struct expr_ops expr_ops_log = { + .name = "log", + .alloc_len = sizeof(struct nftnl_expr_log), +- .max_attr = NFTA_LOG_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1, + .free = nftnl_expr_log_free, + .set = nftnl_expr_log_set, + .get = nftnl_expr_log_get, +diff --git a/src/expr/lookup.c b/src/expr/lookup.c +index a06c338..8b23081 100644 +--- a/src/expr/lookup.c ++++ b/src/expr/lookup.c +@@ -200,7 +200,7 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e) + struct expr_ops expr_ops_lookup = { + .name = "lookup", + .alloc_len = sizeof(struct nftnl_expr_lookup), +- .max_attr = NFTA_LOOKUP_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1, + .free = nftnl_expr_lookup_free, + .set = nftnl_expr_lookup_set, + .get = nftnl_expr_lookup_get, +diff --git a/src/expr/masq.c b/src/expr/masq.c +index e6e528d..a103cc3 100644 +--- a/src/expr/masq.c ++++ b/src/expr/masq.c +@@ -158,7 +158,7 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_masq = { + .name = "masq", + .alloc_len = sizeof(struct nftnl_expr_masq), +- .max_attr = NFTA_MASQ_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1, + .set = nftnl_expr_masq_set, + .get = nftnl_expr_masq_get, + .parse = nftnl_expr_masq_parse, +diff --git a/src/expr/match.c b/src/expr/match.c +index f472add..eed85db 100644 +--- a/src/expr/match.c ++++ b/src/expr/match.c +@@ -183,7 +183,7 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e) + struct expr_ops expr_ops_match = { + .name = "match", + .alloc_len = sizeof(struct nftnl_expr_match), +- .max_attr = NFTA_MATCH_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1, + .free = nftnl_expr_match_free, + .set = nftnl_expr_match_set, + .get = nftnl_expr_match_get, +diff --git a/src/expr/meta.c b/src/expr/meta.c +index 183f441..f86fdff 100644 +--- a/src/expr/meta.c ++++ b/src/expr/meta.c +@@ -212,7 +212,7 @@ nftnl_expr_meta_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_meta = { + .name = "meta", + .alloc_len = sizeof(struct nftnl_expr_meta), +- .max_attr = NFTA_META_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1, + .set = nftnl_expr_meta_set, + .get = nftnl_expr_meta_get, + .parse = nftnl_expr_meta_parse, +diff --git a/src/expr/nat.c b/src/expr/nat.c +index ca727be..1d10bc1 100644 +--- a/src/expr/nat.c ++++ b/src/expr/nat.c +@@ -269,7 +269,7 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_nat = { + .name = "nat", + .alloc_len = sizeof(struct nftnl_expr_nat), +- .max_attr = NFTA_NAT_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1, + .set = nftnl_expr_nat_set, + .get = nftnl_expr_nat_get, + .parse = nftnl_expr_nat_parse, +diff --git a/src/expr/numgen.c b/src/expr/numgen.c +index d4020a6..3e83e05 100644 +--- a/src/expr/numgen.c ++++ b/src/expr/numgen.c +@@ -175,7 +175,7 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_ng = { + .name = "numgen", + .alloc_len = sizeof(struct nftnl_expr_ng), +- .max_attr = NFTA_NG_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1, + .set = nftnl_expr_ng_set, + .get = nftnl_expr_ng_get, + .parse = nftnl_expr_ng_parse, +diff --git a/src/expr/objref.c b/src/expr/objref.c +index ad0688f..e96bd69 100644 +--- a/src/expr/objref.c ++++ b/src/expr/objref.c +@@ -199,7 +199,7 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e) + struct expr_ops expr_ops_objref = { + .name = "objref", + .alloc_len = sizeof(struct nftnl_expr_objref), +- .max_attr = NFTA_OBJREF_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1, + .free = nftnl_expr_objref_free, + .set = nftnl_expr_objref_set, + .get = nftnl_expr_objref_get, +diff --git a/src/expr/osf.c b/src/expr/osf.c +index f15a722..3838af7 100644 +--- a/src/expr/osf.c ++++ b/src/expr/osf.c +@@ -142,7 +142,7 @@ nftnl_expr_osf_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_osf = { + .name = "osf", + .alloc_len = sizeof(struct nftnl_expr_osf), +- .max_attr = NFTA_OSF_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1, + .set = nftnl_expr_osf_set, + .get = nftnl_expr_osf_get, + .parse = nftnl_expr_osf_parse, +diff --git a/src/expr/payload.c b/src/expr/payload.c +index c633e33..f603662 100644 +--- a/src/expr/payload.c ++++ b/src/expr/payload.c +@@ -241,7 +241,7 @@ nftnl_expr_payload_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_payload = { + .name = "payload", + .alloc_len = sizeof(struct nftnl_expr_payload), +- .max_attr = NFTA_PAYLOAD_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1, + .set = nftnl_expr_payload_set, + .get = nftnl_expr_payload_get, + .parse = nftnl_expr_payload_parse, +diff --git a/src/expr/queue.c b/src/expr/queue.c +index de287f2..fba65d1 100644 +--- a/src/expr/queue.c ++++ b/src/expr/queue.c +@@ -188,7 +188,7 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_queue = { + .name = "queue", + .alloc_len = sizeof(struct nftnl_expr_queue), +- .max_attr = NFTA_QUEUE_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1, + .set = nftnl_expr_queue_set, + .get = nftnl_expr_queue_get, + .parse = nftnl_expr_queue_parse, +diff --git a/src/expr/quota.c b/src/expr/quota.c +index 835729c..d3923f3 100644 +--- a/src/expr/quota.c ++++ b/src/expr/quota.c +@@ -142,7 +142,7 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_quota = { + .name = "quota", + .alloc_len = sizeof(struct nftnl_expr_quota), +- .max_attr = NFTA_QUOTA_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1, + .set = nftnl_expr_quota_set, + .get = nftnl_expr_quota_get, + .parse = nftnl_expr_quota_parse, +diff --git a/src/expr/range.c b/src/expr/range.c +index 5a30e48..cb3708c 100644 +--- a/src/expr/range.c ++++ b/src/expr/range.c +@@ -204,7 +204,7 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_range = { + .name = "range", + .alloc_len = sizeof(struct nftnl_expr_range), +- .max_attr = NFTA_RANGE_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1, + .set = nftnl_expr_range_set, + .get = nftnl_expr_range_get, + .parse = nftnl_expr_range_parse, +diff --git a/src/expr/redir.c b/src/expr/redir.c +index 87c2acc..eca8bfe 100644 +--- a/src/expr/redir.c ++++ b/src/expr/redir.c +@@ -162,7 +162,7 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_redir = { + .name = "redir", + .alloc_len = sizeof(struct nftnl_expr_redir), +- .max_attr = NFTA_REDIR_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1, + .set = nftnl_expr_redir_set, + .get = nftnl_expr_redir_get, + .parse = nftnl_expr_redir_parse, +diff --git a/src/expr/reject.c b/src/expr/reject.c +index c7c9441..6b923ad 100644 +--- a/src/expr/reject.c ++++ b/src/expr/reject.c +@@ -129,7 +129,7 @@ nftnl_expr_reject_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_reject = { + .name = "reject", + .alloc_len = sizeof(struct nftnl_expr_reject), +- .max_attr = NFTA_REJECT_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1, + .set = nftnl_expr_reject_set, + .get = nftnl_expr_reject_get, + .parse = nftnl_expr_reject_parse, +diff --git a/src/expr/rt.c b/src/expr/rt.c +index 695a658..aaec430 100644 +--- a/src/expr/rt.c ++++ b/src/expr/rt.c +@@ -157,7 +157,7 @@ nftnl_expr_rt_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_rt = { + .name = "rt", + .alloc_len = sizeof(struct nftnl_expr_rt), +- .max_attr = NFTA_RT_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1, + .set = nftnl_expr_rt_set, + .get = nftnl_expr_rt_get, + .parse = nftnl_expr_rt_parse, +diff --git a/src/expr/socket.c b/src/expr/socket.c +index 83045c0..ef299c4 100644 +--- a/src/expr/socket.c ++++ b/src/expr/socket.c +@@ -160,7 +160,7 @@ nftnl_expr_socket_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_socket = { + .name = "socket", + .alloc_len = sizeof(struct nftnl_expr_socket), +- .max_attr = NFTA_SOCKET_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1, + .set = nftnl_expr_socket_set, + .get = nftnl_expr_socket_get, + .parse = nftnl_expr_socket_parse, +diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c +index 47fcaef..dc25962 100644 +--- a/src/expr/synproxy.c ++++ b/src/expr/synproxy.c +@@ -147,7 +147,7 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_synproxy = { + .name = "synproxy", + .alloc_len = sizeof(struct nftnl_expr_synproxy), +- .max_attr = NFTA_SYNPROXY_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1, + .set = nftnl_expr_synproxy_set, + .get = nftnl_expr_synproxy_get, + .parse = nftnl_expr_synproxy_parse, +diff --git a/src/expr/target.c b/src/expr/target.c +index 2a3fe8a..ebc48ba 100644 +--- a/src/expr/target.c ++++ b/src/expr/target.c +@@ -183,7 +183,7 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e) + struct expr_ops expr_ops_target = { + .name = "target", + .alloc_len = sizeof(struct nftnl_expr_target), +- .max_attr = NFTA_TARGET_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1, + .free = nftnl_expr_target_free, + .set = nftnl_expr_target_set, + .get = nftnl_expr_target_get, +diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c +index bd5ffbf..ac5419b 100644 +--- a/src/expr/tproxy.c ++++ b/src/expr/tproxy.c +@@ -165,7 +165,7 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_tproxy = { + .name = "tproxy", + .alloc_len = sizeof(struct nftnl_expr_tproxy), +- .max_attr = NFTA_TPROXY_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1, + .set = nftnl_expr_tproxy_set, + .get = nftnl_expr_tproxy_get, + .parse = nftnl_expr_tproxy_parse, +diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c +index a00f620..e381994 100644 +--- a/src/expr/tunnel.c ++++ b/src/expr/tunnel.c +@@ -140,7 +140,7 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len, + struct expr_ops expr_ops_tunnel = { + .name = "tunnel", + .alloc_len = sizeof(struct nftnl_expr_tunnel), +- .max_attr = NFTA_TUNNEL_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1, + .set = nftnl_expr_tunnel_set, + .get = nftnl_expr_tunnel_get, + .parse = nftnl_expr_tunnel_parse, +diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c +index 2db00d5..3f4cb0a 100644 +--- a/src/expr/xfrm.c ++++ b/src/expr/xfrm.c +@@ -191,7 +191,7 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain, + struct expr_ops expr_ops_xfrm = { + .name = "xfrm", + .alloc_len = sizeof(struct nftnl_expr_xfrm), +- .max_attr = NFTA_XFRM_MAX, ++ .nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1, + .set = nftnl_expr_xfrm_set, + .get = nftnl_expr_xfrm_get, + .parse = nftnl_expr_xfrm_parse, diff --git a/SOURCES/0008-expr-Call-expr_ops-set-with-legal-types-only.patch b/SOURCES/0008-expr-Call-expr_ops-set-with-legal-types-only.patch new file mode 100644 index 0000000..7634cd1 --- /dev/null +++ b/SOURCES/0008-expr-Call-expr_ops-set-with-legal-types-only.patch @@ -0,0 +1,503 @@ +From 3d5814d5b0a9344327509c9e3aa47ee067fe8a4d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] expr: Call expr_ops::set with legal types only + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 5029136028bff1747860ed770994b8f494c042fc + +commit 5029136028bff1747860ed770994b8f494c042fc +Author: Phil Sutter +Date: Wed Dec 13 23:49:53 2023 +0100 + + expr: Call expr_ops::set with legal types only + + Having the new expr_ops::nftnl_max_attr field in place, the valid range + of attribute type values is known now. Reject illegal ones upfront. + + Consequently drop the default case from callbacks' switches which handle + all supported attributes. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/expr.c | 3 +++ + src/expr/bitwise.c | 2 -- + src/expr/byteorder.c | 2 -- + src/expr/cmp.c | 2 -- + src/expr/connlimit.c | 2 -- + src/expr/counter.c | 2 -- + src/expr/ct.c | 2 -- + src/expr/dup.c | 2 -- + src/expr/exthdr.c | 2 -- + src/expr/fib.c | 2 -- + src/expr/flow_offload.c | 2 -- + src/expr/fwd.c | 2 -- + src/expr/immediate.c | 2 -- + src/expr/inner.c | 2 -- + src/expr/last.c | 2 -- + src/expr/limit.c | 2 -- + src/expr/log.c | 2 -- + src/expr/lookup.c | 2 -- + src/expr/masq.c | 2 -- + src/expr/match.c | 2 -- + src/expr/meta.c | 2 -- + src/expr/nat.c | 2 -- + src/expr/objref.c | 2 -- + src/expr/payload.c | 2 -- + src/expr/queue.c | 2 -- + src/expr/quota.c | 2 -- + src/expr/range.c | 2 -- + src/expr/redir.c | 2 -- + src/expr/reject.c | 2 -- + src/expr/rt.c | 2 -- + src/expr/socket.c | 2 -- + src/expr/target.c | 2 -- + src/expr/tproxy.c | 2 -- + src/expr/tunnel.c | 2 -- + 34 files changed, 3 insertions(+), 66 deletions(-) + +diff --git a/src/expr.c b/src/expr.c +index b4581f1..74d211b 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -71,6 +71,9 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, + case NFTNL_EXPR_NAME: /* cannot be modified */ + return 0; + default: ++ if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr) ++ return -1; ++ + if (expr->ops->set(expr, type, data, data_len) < 0) + return -1; + } +diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c +index 69efe1d..e219d49 100644 +--- a/src/expr/bitwise.c ++++ b/src/expr/bitwise.c +@@ -56,8 +56,6 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type, + return nftnl_data_cpy(&bitwise->xor, data, data_len); + case NFTNL_EXPR_BITWISE_DATA: + return nftnl_data_cpy(&bitwise->data, data, data_len); +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c +index f05ae59..8c7661f 100644 +--- a/src/expr/byteorder.c ++++ b/src/expr/byteorder.c +@@ -51,8 +51,6 @@ nftnl_expr_byteorder_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_BYTEORDER_SIZE: + memcpy(&byteorder->size, data, sizeof(byteorder->size)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/cmp.c b/src/expr/cmp.c +index 40431fa..fe6f599 100644 +--- a/src/expr/cmp.c ++++ b/src/expr/cmp.c +@@ -43,8 +43,6 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type, + break; + case NFTNL_EXPR_CMP_DATA: + return nftnl_data_cpy(&cmp->data, data, data_len); +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c +index 3b6c36c..90613f2 100644 +--- a/src/expr/connlimit.c ++++ b/src/expr/connlimit.c +@@ -38,8 +38,6 @@ nftnl_expr_connlimit_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_CONNLIMIT_FLAGS: + memcpy(&connlimit->flags, data, sizeof(connlimit->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/counter.c b/src/expr/counter.c +index 0595d50..a003e24 100644 +--- a/src/expr/counter.c ++++ b/src/expr/counter.c +@@ -40,8 +40,6 @@ nftnl_expr_counter_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_CTR_PACKETS: + memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/ct.c b/src/expr/ct.c +index 36b61fd..197454e 100644 +--- a/src/expr/ct.c ++++ b/src/expr/ct.c +@@ -50,8 +50,6 @@ nftnl_expr_ct_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_CT_SREG: + memcpy(&ct->sreg, data, sizeof(ct->sreg)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/dup.c b/src/expr/dup.c +index 33731cc..20100ab 100644 +--- a/src/expr/dup.c ++++ b/src/expr/dup.c +@@ -37,8 +37,6 @@ static int nftnl_expr_dup_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_DUP_SREG_DEV: + memcpy(&dup->sreg_dev, data, sizeof(dup->sreg_dev)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c +index a1227a6..77ff7db 100644 +--- a/src/expr/exthdr.c ++++ b/src/expr/exthdr.c +@@ -66,8 +66,6 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_EXTHDR_SREG: + memcpy(&exthdr->sreg, data, sizeof(exthdr->sreg)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/fib.c b/src/expr/fib.c +index 36637bd..5d2303f 100644 +--- a/src/expr/fib.c ++++ b/src/expr/fib.c +@@ -43,8 +43,6 @@ nftnl_expr_fib_set(struct nftnl_expr *e, uint16_t result, + case NFTNL_EXPR_FIB_FLAGS: + memcpy(&fib->flags, data, sizeof(fib->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c +index f604712..9ab068d 100644 +--- a/src/expr/flow_offload.c ++++ b/src/expr/flow_offload.c +@@ -25,8 +25,6 @@ static int nftnl_expr_flow_set(struct nftnl_expr *e, uint16_t type, + if (!flow->table_name) + return -1; + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/fwd.c b/src/expr/fwd.c +index 3aaf328..bd1b1d8 100644 +--- a/src/expr/fwd.c ++++ b/src/expr/fwd.c +@@ -41,8 +41,6 @@ static int nftnl_expr_fwd_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_FWD_NFPROTO: + memcpy(&fwd->nfproto, data, sizeof(fwd->nfproto)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/immediate.c b/src/expr/immediate.c +index d60ca32..6ab8417 100644 +--- a/src/expr/immediate.c ++++ b/src/expr/immediate.c +@@ -51,8 +51,6 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_IMM_CHAIN_ID: + memcpy(&imm->data.chain_id, data, sizeof(uint32_t)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/inner.c b/src/expr/inner.c +index cb6f607..515f68d 100644 +--- a/src/expr/inner.c ++++ b/src/expr/inner.c +@@ -59,8 +59,6 @@ nftnl_expr_inner_set(struct nftnl_expr *e, uint16_t type, + + inner->expr = (void *)data; + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/last.c b/src/expr/last.c +index 273aaa1..8aa772c 100644 +--- a/src/expr/last.c ++++ b/src/expr/last.c +@@ -37,8 +37,6 @@ static int nftnl_expr_last_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_LAST_SET: + memcpy(&last->set, data, sizeof(last->set)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/limit.c b/src/expr/limit.c +index a1f9eac..355d46a 100644 +--- a/src/expr/limit.c ++++ b/src/expr/limit.c +@@ -52,8 +52,6 @@ nftnl_expr_limit_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_LIMIT_FLAGS: + memcpy(&limit->flags, data, sizeof(limit->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/log.c b/src/expr/log.c +index 6df030d..868da61 100644 +--- a/src/expr/log.c ++++ b/src/expr/log.c +@@ -60,8 +60,6 @@ static int nftnl_expr_log_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_LOG_FLAGS: + memcpy(&log->flags, data, sizeof(log->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/lookup.c b/src/expr/lookup.c +index 8b23081..ca58a38 100644 +--- a/src/expr/lookup.c ++++ b/src/expr/lookup.c +@@ -53,8 +53,6 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_LOOKUP_FLAGS: + memcpy(&lookup->flags, data, sizeof(lookup->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/masq.c b/src/expr/masq.c +index a103cc3..fa2f4af 100644 +--- a/src/expr/masq.c ++++ b/src/expr/masq.c +@@ -42,8 +42,6 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_MASQ_REG_PROTO_MAX: + memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/match.c b/src/expr/match.c +index eed85db..16e7367 100644 +--- a/src/expr/match.c ++++ b/src/expr/match.c +@@ -55,8 +55,6 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type, + mt->data = data; + mt->data_len = data_len; + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/meta.c b/src/expr/meta.c +index f86fdff..1db2c19 100644 +--- a/src/expr/meta.c ++++ b/src/expr/meta.c +@@ -47,8 +47,6 @@ nftnl_expr_meta_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_META_SREG: + memcpy(&meta->sreg, data, sizeof(meta->sreg)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/nat.c b/src/expr/nat.c +index 1d10bc1..724894a 100644 +--- a/src/expr/nat.c ++++ b/src/expr/nat.c +@@ -62,8 +62,6 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_NAT_FLAGS: + memcpy(&nat->flags, data, sizeof(nat->flags)); + break; +- default: +- return -1; + } + + return 0; +diff --git a/src/expr/objref.c b/src/expr/objref.c +index e96bd69..28cd2cc 100644 +--- a/src/expr/objref.c ++++ b/src/expr/objref.c +@@ -57,8 +57,6 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_OBJREF_SET_ID: + memcpy(&objref->set.id, data, sizeof(objref->set.id)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/payload.c b/src/expr/payload.c +index f603662..73cb188 100644 +--- a/src/expr/payload.c ++++ b/src/expr/payload.c +@@ -66,8 +66,6 @@ nftnl_expr_payload_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_PAYLOAD_FLAGS: + memcpy(&payload->csum_flags, data, sizeof(payload->csum_flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/queue.c b/src/expr/queue.c +index fba65d1..3343dd4 100644 +--- a/src/expr/queue.c ++++ b/src/expr/queue.c +@@ -45,8 +45,6 @@ static int nftnl_expr_queue_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_QUEUE_SREG_QNUM: + memcpy(&queue->sreg_qnum, data, sizeof(queue->sreg_qnum)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/quota.c b/src/expr/quota.c +index d3923f3..2a3a05a 100644 +--- a/src/expr/quota.c ++++ b/src/expr/quota.c +@@ -41,8 +41,6 @@ static int nftnl_expr_quota_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_QUOTA_FLAGS: + memcpy("a->flags, data, sizeof(quota->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/range.c b/src/expr/range.c +index cb3708c..d0c52b9 100644 +--- a/src/expr/range.c ++++ b/src/expr/range.c +@@ -43,8 +43,6 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type, + return nftnl_data_cpy(&range->data_from, data, data_len); + case NFTNL_EXPR_RANGE_TO_DATA: + return nftnl_data_cpy(&range->data_to, data, data_len); +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/redir.c b/src/expr/redir.c +index eca8bfe..a5a5e7d 100644 +--- a/src/expr/redir.c ++++ b/src/expr/redir.c +@@ -42,8 +42,6 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_REDIR_FLAGS: + memcpy(&redir->flags, data, sizeof(redir->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/reject.c b/src/expr/reject.c +index 6b923ad..8a0653d 100644 +--- a/src/expr/reject.c ++++ b/src/expr/reject.c +@@ -38,8 +38,6 @@ static int nftnl_expr_reject_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_REJECT_CODE: + memcpy(&reject->icmp_code, data, sizeof(reject->icmp_code)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/rt.c b/src/expr/rt.c +index aaec430..de2bd2f 100644 +--- a/src/expr/rt.c ++++ b/src/expr/rt.c +@@ -37,8 +37,6 @@ nftnl_expr_rt_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_RT_DREG: + memcpy(&rt->dreg, data, sizeof(rt->dreg)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/socket.c b/src/expr/socket.c +index ef299c4..9b6c3ea 100644 +--- a/src/expr/socket.c ++++ b/src/expr/socket.c +@@ -41,8 +41,6 @@ nftnl_expr_socket_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_SOCKET_LEVEL: + memcpy(&socket->level, data, sizeof(socket->level)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/target.c b/src/expr/target.c +index ebc48ba..cc0566c 100644 +--- a/src/expr/target.c ++++ b/src/expr/target.c +@@ -55,8 +55,6 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type, + tg->data = data; + tg->data_len = data_len; + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c +index ac5419b..c6ed888 100644 +--- a/src/expr/tproxy.c ++++ b/src/expr/tproxy.c +@@ -42,8 +42,6 @@ nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_TPROXY_REG_PORT: + memcpy(&tproxy->sreg_port, data, sizeof(tproxy->sreg_port)); + break; +- default: +- return -1; + } + + return 0; +diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c +index e381994..e59744b 100644 +--- a/src/expr/tunnel.c ++++ b/src/expr/tunnel.c +@@ -36,8 +36,6 @@ static int nftnl_expr_tunnel_set(struct nftnl_expr *e, uint16_t type, + case NFTNL_EXPR_TUNNEL_DREG: + memcpy(&tunnel->dreg, data, sizeof(tunnel->dreg)); + break; +- default: +- return -1; + } + return 0; + } diff --git a/SOURCES/0009-include-Sync-nf_log.h-with-kernel-headers.patch b/SOURCES/0009-include-Sync-nf_log.h-with-kernel-headers.patch new file mode 100644 index 0000000..9eb8ded --- /dev/null +++ b/SOURCES/0009-include-Sync-nf_log.h-with-kernel-headers.patch @@ -0,0 +1,39 @@ +From 705845a613139dd1d02a587478d8b7e93f16eecf Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] include: Sync nf_log.h with kernel headers + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 9da7658c6e25b02f7eeef936835469f4174cbfec + +commit 9da7658c6e25b02f7eeef936835469f4174cbfec +Author: Phil Sutter +Date: Fri Dec 15 16:15:35 2023 +0100 + + include: Sync nf_log.h with kernel headers + + Next patch needs NF_LOG_PREFIXLEN define. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + include/linux/netfilter/nf_log.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h +index 8be21e0..2ae0093 100644 +--- a/include/linux/netfilter/nf_log.h ++++ b/include/linux/netfilter/nf_log.h +@@ -1,3 +1,4 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ + #ifndef _NETFILTER_NF_LOG_H + #define _NETFILTER_NF_LOG_H + +@@ -9,4 +10,6 @@ + #define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ + #define NF_LOG_MASK 0x2f + ++#define NF_LOG_PREFIXLEN 128 ++ + #endif /* _NETFILTER_NF_LOG_H */ diff --git a/SOURCES/0010-expr-Introduce-struct-expr_ops-attr_policy.patch b/SOURCES/0010-expr-Introduce-struct-expr_ops-attr_policy.patch new file mode 100644 index 0000000..d607580 --- /dev/null +++ b/SOURCES/0010-expr-Introduce-struct-expr_ops-attr_policy.patch @@ -0,0 +1,989 @@ +From 5a8aad9370b54e09411853c4022a072c9b36f189 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] expr: Introduce struct expr_ops::attr_policy + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit cdde5a8c5a8734f2d540a0ab52c32d41d4d18127 + +commit cdde5a8c5a8734f2d540a0ab52c32d41d4d18127 +Author: Phil Sutter +Date: Fri Dec 15 16:30:52 2023 +0100 + + expr: Introduce struct expr_ops::attr_policy + + Similar to kernel's nla_policy, enable expressions to inform about + restrictions on attribute use. This allows the generic expression code + to perform sanity checks before dispatching to expression ops. + + For now, this holds only the maximum data len which may be passed to + nftnl_expr_set(). + + While one may debate whether accepting e.g. uint32_t for sreg/dreg + attributes is correct, it is necessary to not break nftables. + + Note that this introduces artificial restrictions on name lengths which + were caught by the kernel (if nftables didn't). + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + include/expr_ops.h | 5 +++++ + src/expr/bitwise.c | 11 +++++++++++ + src/expr/byteorder.c | 9 +++++++++ + src/expr/cmp.c | 7 +++++++ + src/expr/connlimit.c | 6 ++++++ + src/expr/counter.c | 6 ++++++ + src/expr/ct.c | 8 ++++++++ + src/expr/dup.c | 6 ++++++ + src/expr/dynset.c | 13 +++++++++++++ + src/expr/exthdr.c | 11 +++++++++++ + src/expr/fib.c | 7 +++++++ + src/expr/flow_offload.c | 5 +++++ + src/expr/fwd.c | 7 +++++++ + src/expr/hash.c | 11 +++++++++++ + src/expr/immediate.c | 9 +++++++++ + src/expr/inner.c | 8 ++++++++ + src/expr/last.c | 6 ++++++ + src/expr/limit.c | 9 +++++++++ + src/expr/log.c | 10 ++++++++++ + src/expr/lookup.c | 9 +++++++++ + src/expr/masq.c | 7 +++++++ + src/expr/match.c | 7 +++++++ + src/expr/meta.c | 7 +++++++ + src/expr/nat.c | 11 +++++++++++ + src/expr/numgen.c | 8 ++++++++ + src/expr/objref.c | 9 +++++++++ + src/expr/osf.c | 7 +++++++ + src/expr/payload.c | 12 ++++++++++++ + src/expr/queue.c | 8 ++++++++ + src/expr/quota.c | 7 +++++++ + src/expr/range.c | 8 ++++++++ + src/expr/redir.c | 7 +++++++ + src/expr/reject.c | 6 ++++++ + src/expr/rt.c | 6 ++++++ + src/expr/socket.c | 7 +++++++ + src/expr/synproxy.c | 7 +++++++ + src/expr/target.c | 7 +++++++ + src/expr/tproxy.c | 7 +++++++ + src/expr/tunnel.c | 6 ++++++ + src/expr/xfrm.c | 9 +++++++++ + 40 files changed, 316 insertions(+) + +diff --git a/include/expr_ops.h b/include/expr_ops.h +index 51b2214..6cfb3b5 100644 +--- a/include/expr_ops.h ++++ b/include/expr_ops.h +@@ -8,10 +8,15 @@ struct nlattr; + struct nlmsghdr; + struct nftnl_expr; + ++struct attr_policy { ++ uint32_t maxlen; ++}; ++ + struct expr_ops { + const char *name; + uint32_t alloc_len; + int nftnl_max_attr; ++ struct attr_policy *attr_policy; + void (*init)(const struct nftnl_expr *e); + void (*free)(const struct nftnl_expr *e); + int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len); +diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c +index e219d49..dab1690 100644 +--- a/src/expr/bitwise.c ++++ b/src/expr/bitwise.c +@@ -266,10 +266,21 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size, + return err; + } + ++static struct attr_policy bitwise_attr_policy[__NFTNL_EXPR_BITWISE_MAX] = { ++ [NFTNL_EXPR_BITWISE_SREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_BITWISE_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_BITWISE_LEN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_BITWISE_MASK] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, ++ [NFTNL_EXPR_BITWISE_XOR] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, ++ [NFTNL_EXPR_BITWISE_OP] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_BITWISE_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, ++}; ++ + struct expr_ops expr_ops_bitwise = { + .name = "bitwise", + .alloc_len = sizeof(struct nftnl_expr_bitwise), + .nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1, ++ .attr_policy = bitwise_attr_policy, + .set = nftnl_expr_bitwise_set, + .get = nftnl_expr_bitwise_get, + .parse = nftnl_expr_bitwise_parse, +diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c +index 8c7661f..d4e85a8 100644 +--- a/src/expr/byteorder.c ++++ b/src/expr/byteorder.c +@@ -210,10 +210,19 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy byteorder_attr_policy[__NFTNL_EXPR_BYTEORDER_MAX] = { ++ [NFTNL_EXPR_BYTEORDER_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_BYTEORDER_SREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_BYTEORDER_OP] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_BYTEORDER_LEN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_BYTEORDER_SIZE] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_byteorder = { + .name = "byteorder", + .alloc_len = sizeof(struct nftnl_expr_byteorder), + .nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1, ++ .attr_policy = byteorder_attr_policy, + .set = nftnl_expr_byteorder_set, + .get = nftnl_expr_byteorder_get, + .parse = nftnl_expr_byteorder_parse, +diff --git a/src/expr/cmp.c b/src/expr/cmp.c +index fe6f599..2937d7e 100644 +--- a/src/expr/cmp.c ++++ b/src/expr/cmp.c +@@ -190,10 +190,17 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy cmp_attr_policy[__NFTNL_EXPR_CMP_MAX] = { ++ [NFTNL_EXPR_CMP_SREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_CMP_OP] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_CMP_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN } ++}; ++ + struct expr_ops expr_ops_cmp = { + .name = "cmp", + .alloc_len = sizeof(struct nftnl_expr_cmp), + .nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1, ++ .attr_policy = cmp_attr_policy, + .set = nftnl_expr_cmp_set, + .get = nftnl_expr_cmp_get, + .parse = nftnl_expr_cmp_parse, +diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c +index 90613f2..1c78c71 100644 +--- a/src/expr/connlimit.c ++++ b/src/expr/connlimit.c +@@ -125,10 +125,16 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len, + connlimit->count, connlimit->flags); + } + ++static struct attr_policy connlimit_attr_policy[__NFTNL_EXPR_CONNLIMIT_MAX] = { ++ [NFTNL_EXPR_CONNLIMIT_COUNT] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_CONNLIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_connlimit = { + .name = "connlimit", + .alloc_len = sizeof(struct nftnl_expr_connlimit), + .nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1, ++ .attr_policy = connlimit_attr_policy, + .set = nftnl_expr_connlimit_set, + .get = nftnl_expr_connlimit_get, + .parse = nftnl_expr_connlimit_parse, +diff --git a/src/expr/counter.c b/src/expr/counter.c +index a003e24..2c6f2a7 100644 +--- a/src/expr/counter.c ++++ b/src/expr/counter.c +@@ -123,10 +123,16 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len, + ctr->pkts, ctr->bytes); + } + ++static struct attr_policy counter_attr_policy[__NFTNL_EXPR_CTR_MAX] = { ++ [NFTNL_EXPR_CTR_PACKETS] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_EXPR_CTR_BYTES] = { .maxlen = sizeof(uint64_t) }, ++}; ++ + struct expr_ops expr_ops_counter = { + .name = "counter", + .alloc_len = sizeof(struct nftnl_expr_counter), + .nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1, ++ .attr_policy = counter_attr_policy, + .set = nftnl_expr_counter_set, + .get = nftnl_expr_counter_get, + .parse = nftnl_expr_counter_parse, +diff --git a/src/expr/ct.c b/src/expr/ct.c +index 197454e..f7dd40d 100644 +--- a/src/expr/ct.c ++++ b/src/expr/ct.c +@@ -248,10 +248,18 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy ct_attr_policy[__NFTNL_EXPR_CT_MAX] = { ++ [NFTNL_EXPR_CT_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_CT_KEY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_CT_DIR] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_EXPR_CT_SREG] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_ct = { + .name = "ct", + .alloc_len = sizeof(struct nftnl_expr_ct), + .nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1, ++ .attr_policy = ct_attr_policy, + .set = nftnl_expr_ct_set, + .get = nftnl_expr_ct_get, + .parse = nftnl_expr_ct_parse, +diff --git a/src/expr/dup.c b/src/expr/dup.c +index 20100ab..6a5e4ca 100644 +--- a/src/expr/dup.c ++++ b/src/expr/dup.c +@@ -128,10 +128,16 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy dup_attr_policy[__NFTNL_EXPR_DUP_MAX] = { ++ [NFTNL_EXPR_DUP_SREG_ADDR] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_DUP_SREG_DEV] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_dup = { + .name = "dup", + .alloc_len = sizeof(struct nftnl_expr_dup), + .nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1, ++ .attr_policy = dup_attr_policy, + .set = nftnl_expr_dup_set, + .get = nftnl_expr_dup_get, + .parse = nftnl_expr_dup_parse, +diff --git a/src/expr/dynset.c b/src/expr/dynset.c +index ee6ce1e..c1f79b5 100644 +--- a/src/expr/dynset.c ++++ b/src/expr/dynset.c +@@ -363,10 +363,23 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e) + nftnl_expr_free(expr); + } + ++static struct attr_policy dynset_attr_policy[__NFTNL_EXPR_DYNSET_MAX] = { ++ [NFTNL_EXPR_DYNSET_SREG_KEY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_DYNSET_SREG_DATA] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_DYNSET_OP] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_DYNSET_TIMEOUT] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_EXPR_DYNSET_SET_NAME] = { .maxlen = NFT_SET_MAXNAMELEN }, ++ [NFTNL_EXPR_DYNSET_SET_ID] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_DYNSET_EXPR] = { .maxlen = 0 }, ++ [NFTNL_EXPR_DYNSET_EXPRESSIONS] = { .maxlen = 0 }, ++ [NFTNL_EXPR_DYNSET_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_dynset = { + .name = "dynset", + .alloc_len = sizeof(struct nftnl_expr_dynset), + .nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1, ++ .attr_policy = dynset_attr_policy, + .init = nftnl_expr_dynset_init, + .free = nftnl_expr_dynset_free, + .set = nftnl_expr_dynset_set, +diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c +index 77ff7db..93b7521 100644 +--- a/src/expr/exthdr.c ++++ b/src/expr/exthdr.c +@@ -257,10 +257,21 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len, + + } + ++static struct attr_policy exthdr_attr_policy[__NFTNL_EXPR_EXTHDR_MAX] = { ++ [NFTNL_EXPR_EXTHDR_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_EXTHDR_TYPE] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_EXPR_EXTHDR_OFFSET] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_EXTHDR_LEN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_EXTHDR_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_EXTHDR_OP] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_EXTHDR_SREG] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_exthdr = { + .name = "exthdr", + .alloc_len = sizeof(struct nftnl_expr_exthdr), + .nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1, ++ .attr_policy = exthdr_attr_policy, + .set = nftnl_expr_exthdr_set, + .get = nftnl_expr_exthdr_get, + .parse = nftnl_expr_exthdr_parse, +diff --git a/src/expr/fib.c b/src/expr/fib.c +index 5d2303f..5f7bef4 100644 +--- a/src/expr/fib.c ++++ b/src/expr/fib.c +@@ -188,10 +188,17 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy fib_attr_policy[__NFTNL_EXPR_FIB_MAX] = { ++ [NFTNL_EXPR_FIB_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_FIB_RESULT] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_FIB_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_fib = { + .name = "fib", + .alloc_len = sizeof(struct nftnl_expr_fib), + .nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1, ++ .attr_policy = fib_attr_policy, + .set = nftnl_expr_fib_set, + .get = nftnl_expr_fib_get, + .parse = nftnl_expr_fib_parse, +diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c +index 9ab068d..5f209a6 100644 +--- a/src/expr/flow_offload.c ++++ b/src/expr/flow_offload.c +@@ -109,10 +109,15 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e) + xfree(flow->table_name); + } + ++static struct attr_policy flow_offload_attr_policy[__NFTNL_EXPR_FLOW_MAX] = { ++ [NFTNL_EXPR_FLOW_TABLE_NAME] = { .maxlen = NFT_NAME_MAXLEN }, ++}; ++ + struct expr_ops expr_ops_flow = { + .name = "flow_offload", + .alloc_len = sizeof(struct nftnl_expr_flow), + .nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1, ++ .attr_policy = flow_offload_attr_policy, + .free = nftnl_expr_flow_free, + .set = nftnl_expr_flow_set, + .get = nftnl_expr_flow_get, +diff --git a/src/expr/fwd.c b/src/expr/fwd.c +index bd1b1d8..566d6f4 100644 +--- a/src/expr/fwd.c ++++ b/src/expr/fwd.c +@@ -148,10 +148,17 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy fwd_attr_policy[__NFTNL_EXPR_FWD_MAX] = { ++ [NFTNL_EXPR_FWD_SREG_DEV] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_FWD_SREG_ADDR] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_FWD_NFPROTO] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_fwd = { + .name = "fwd", + .alloc_len = sizeof(struct nftnl_expr_fwd), + .nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1, ++ .attr_policy = fwd_attr_policy, + .set = nftnl_expr_fwd_set, + .get = nftnl_expr_fwd_get, + .parse = nftnl_expr_fwd_parse, +diff --git a/src/expr/hash.c b/src/expr/hash.c +index 1fc72ec..4cd9006 100644 +--- a/src/expr/hash.c ++++ b/src/expr/hash.c +@@ -218,10 +218,21 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy hash_attr_policy[__NFTNL_EXPR_HASH_MAX] = { ++ [NFTNL_EXPR_HASH_SREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_HASH_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_HASH_LEN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_HASH_MODULUS] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_HASH_SEED] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_HASH_OFFSET] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_HASH_TYPE] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_hash = { + .name = "hash", + .alloc_len = sizeof(struct nftnl_expr_hash), + .nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1, ++ .attr_policy = hash_attr_policy, + .set = nftnl_expr_hash_set, + .get = nftnl_expr_hash_get, + .parse = nftnl_expr_hash_parse, +diff --git a/src/expr/immediate.c b/src/expr/immediate.c +index 6ab8417..8645ab3 100644 +--- a/src/expr/immediate.c ++++ b/src/expr/immediate.c +@@ -216,10 +216,19 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e) + nftnl_free_verdict(&imm->data); + } + ++static struct attr_policy immediate_attr_policy[__NFTNL_EXPR_IMM_MAX] = { ++ [NFTNL_EXPR_IMM_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_IMM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, ++ [NFTNL_EXPR_IMM_VERDICT] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_IMM_CHAIN] = { .maxlen = NFT_CHAIN_MAXNAMELEN }, ++ [NFTNL_EXPR_IMM_CHAIN_ID] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_immediate = { + .name = "immediate", + .alloc_len = sizeof(struct nftnl_expr_immediate), + .nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1, ++ .attr_policy = immediate_attr_policy, + .free = nftnl_expr_immediate_free, + .set = nftnl_expr_immediate_set, + .get = nftnl_expr_immediate_get, +diff --git a/src/expr/inner.c b/src/expr/inner.c +index 515f68d..45ef4fb 100644 +--- a/src/expr/inner.c ++++ b/src/expr/inner.c +@@ -199,10 +199,18 @@ nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags, + return offset; + } + ++static struct attr_policy inner_attr_policy[__NFTNL_EXPR_INNER_MAX] = { ++ [NFTNL_EXPR_INNER_TYPE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_INNER_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_INNER_HDRSIZE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_INNER_EXPR] = { .maxlen = 0 }, ++}; ++ + struct expr_ops expr_ops_inner = { + .name = "inner", + .alloc_len = sizeof(struct nftnl_expr_inner), + .nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1, ++ .attr_policy = inner_attr_policy, + .free = nftnl_expr_inner_free, + .set = nftnl_expr_inner_set, + .get = nftnl_expr_inner_get, +diff --git a/src/expr/last.c b/src/expr/last.c +index 8aa772c..074f463 100644 +--- a/src/expr/last.c ++++ b/src/expr/last.c +@@ -124,10 +124,16 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len, + return snprintf(buf, len, "%"PRIu64" ", last->msecs); + } + ++static struct attr_policy last_attr_policy[__NFTNL_EXPR_LAST_MAX] = { ++ [NFTNL_EXPR_LAST_MSECS] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_EXPR_LAST_SET] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_last = { + .name = "last", + .alloc_len = sizeof(struct nftnl_expr_last), + .nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1, ++ .attr_policy = last_attr_policy, + .set = nftnl_expr_last_set, + .get = nftnl_expr_last_get, + .parse = nftnl_expr_last_parse, +diff --git a/src/expr/limit.c b/src/expr/limit.c +index 355d46a..935d449 100644 +--- a/src/expr/limit.c ++++ b/src/expr/limit.c +@@ -192,10 +192,19 @@ nftnl_expr_limit_snprintf(char *buf, size_t len, + limit_to_type(limit->type), limit->flags); + } + ++static struct attr_policy limit_attr_policy[__NFTNL_EXPR_LIMIT_MAX] = { ++ [NFTNL_EXPR_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_EXPR_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_EXPR_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_limit = { + .name = "limit", + .alloc_len = sizeof(struct nftnl_expr_limit), + .nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1, ++ .attr_policy = limit_attr_policy, + .set = nftnl_expr_limit_set, + .get = nftnl_expr_limit_get, + .parse = nftnl_expr_limit_parse, +diff --git a/src/expr/log.c b/src/expr/log.c +index 868da61..d6d6910 100644 +--- a/src/expr/log.c ++++ b/src/expr/log.c +@@ -242,10 +242,20 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e) + xfree(log->prefix); + } + ++static struct attr_policy log_attr_policy[__NFTNL_EXPR_LOG_MAX] = { ++ [NFTNL_EXPR_LOG_PREFIX] = { .maxlen = NF_LOG_PREFIXLEN }, ++ [NFTNL_EXPR_LOG_GROUP] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_EXPR_LOG_SNAPLEN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_LOG_QTHRESHOLD] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_EXPR_LOG_LEVEL] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_LOG_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_log = { + .name = "log", + .alloc_len = sizeof(struct nftnl_expr_log), + .nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1, ++ .attr_policy = log_attr_policy, + .free = nftnl_expr_log_free, + .set = nftnl_expr_log_set, + .get = nftnl_expr_log_get, +diff --git a/src/expr/lookup.c b/src/expr/lookup.c +index ca58a38..be04528 100644 +--- a/src/expr/lookup.c ++++ b/src/expr/lookup.c +@@ -195,10 +195,19 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e) + xfree(lookup->set_name); + } + ++static struct attr_policy lookup_attr_policy[__NFTNL_EXPR_LOOKUP_MAX] = { ++ [NFTNL_EXPR_LOOKUP_SREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_LOOKUP_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_LOOKUP_SET] = { .maxlen = NFT_SET_MAXNAMELEN }, ++ [NFTNL_EXPR_LOOKUP_SET_ID] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_LOOKUP_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_lookup = { + .name = "lookup", + .alloc_len = sizeof(struct nftnl_expr_lookup), + .nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1, ++ .attr_policy = lookup_attr_policy, + .free = nftnl_expr_lookup_free, + .set = nftnl_expr_lookup_set, + .get = nftnl_expr_lookup_get, +diff --git a/src/expr/masq.c b/src/expr/masq.c +index fa2f4af..4be5a9c 100644 +--- a/src/expr/masq.c ++++ b/src/expr/masq.c +@@ -153,10 +153,17 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy masq_attr_policy[__NFTNL_EXPR_MASQ_MAX] = { ++ [NFTNL_EXPR_MASQ_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_MASQ_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_MASQ_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_masq = { + .name = "masq", + .alloc_len = sizeof(struct nftnl_expr_masq), + .nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1, ++ .attr_policy = masq_attr_policy, + .set = nftnl_expr_masq_set, + .get = nftnl_expr_masq_get, + .parse = nftnl_expr_masq_parse, +diff --git a/src/expr/match.c b/src/expr/match.c +index 16e7367..68288dc 100644 +--- a/src/expr/match.c ++++ b/src/expr/match.c +@@ -178,10 +178,17 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e) + xfree(match->data); + } + ++static struct attr_policy match_attr_policy[__NFTNL_EXPR_MT_MAX] = { ++ [NFTNL_EXPR_MT_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN }, ++ [NFTNL_EXPR_MT_REV] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_MT_INFO] = { .maxlen = 0 }, ++}; ++ + struct expr_ops expr_ops_match = { + .name = "match", + .alloc_len = sizeof(struct nftnl_expr_match), + .nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1, ++ .attr_policy = match_attr_policy, + .free = nftnl_expr_match_free, + .set = nftnl_expr_match_set, + .get = nftnl_expr_match_get, +diff --git a/src/expr/meta.c b/src/expr/meta.c +index 1db2c19..cd49c34 100644 +--- a/src/expr/meta.c ++++ b/src/expr/meta.c +@@ -207,10 +207,17 @@ nftnl_expr_meta_snprintf(char *buf, size_t len, + return 0; + } + ++static struct attr_policy meta_attr_policy[__NFTNL_EXPR_META_MAX] = { ++ [NFTNL_EXPR_META_KEY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_META_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_META_SREG] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_meta = { + .name = "meta", + .alloc_len = sizeof(struct nftnl_expr_meta), + .nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1, ++ .attr_policy = meta_attr_policy, + .set = nftnl_expr_meta_set, + .get = nftnl_expr_meta_get, + .parse = nftnl_expr_meta_parse, +diff --git a/src/expr/nat.c b/src/expr/nat.c +index 724894a..f3f8644 100644 +--- a/src/expr/nat.c ++++ b/src/expr/nat.c +@@ -264,10 +264,21 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy nat_attr_policy[__NFTNL_EXPR_NAT_MAX] = { ++ [NFTNL_EXPR_NAT_TYPE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NAT_FAMILY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NAT_REG_ADDR_MIN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NAT_REG_ADDR_MAX] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NAT_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NAT_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NAT_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_nat = { + .name = "nat", + .alloc_len = sizeof(struct nftnl_expr_nat), + .nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1, ++ .attr_policy = nat_attr_policy, + .set = nftnl_expr_nat_set, + .get = nftnl_expr_nat_get, + .parse = nftnl_expr_nat_parse, +diff --git a/src/expr/numgen.c b/src/expr/numgen.c +index 3e83e05..c5e8772 100644 +--- a/src/expr/numgen.c ++++ b/src/expr/numgen.c +@@ -172,10 +172,18 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy numgen_attr_policy[__NFTNL_EXPR_NG_MAX] = { ++ [NFTNL_EXPR_NG_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NG_MODULUS] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NG_TYPE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_NG_OFFSET] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_ng = { + .name = "numgen", + .alloc_len = sizeof(struct nftnl_expr_ng), + .nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1, ++ .attr_policy = numgen_attr_policy, + .set = nftnl_expr_ng_set, + .get = nftnl_expr_ng_get, + .parse = nftnl_expr_ng_parse, +diff --git a/src/expr/objref.c b/src/expr/objref.c +index 28cd2cc..59e1ddd 100644 +--- a/src/expr/objref.c ++++ b/src/expr/objref.c +@@ -194,10 +194,19 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e) + xfree(objref->set.name); + } + ++static struct attr_policy objref_attr_policy[__NFTNL_EXPR_OBJREF_MAX] = { ++ [NFTNL_EXPR_OBJREF_IMM_TYPE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_OBJREF_IMM_NAME] = { .maxlen = NFT_NAME_MAXLEN }, ++ [NFTNL_EXPR_OBJREF_SET_SREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_OBJREF_SET_NAME] = { .maxlen = NFT_NAME_MAXLEN }, ++ [NFTNL_EXPR_OBJREF_SET_ID] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_objref = { + .name = "objref", + .alloc_len = sizeof(struct nftnl_expr_objref), + .nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1, ++ .attr_policy = objref_attr_policy, + .free = nftnl_expr_objref_free, + .set = nftnl_expr_objref_set, + .get = nftnl_expr_objref_get, +diff --git a/src/expr/osf.c b/src/expr/osf.c +index 3838af7..1e4ceb0 100644 +--- a/src/expr/osf.c ++++ b/src/expr/osf.c +@@ -139,10 +139,17 @@ nftnl_expr_osf_snprintf(char *buf, size_t len, + return offset; + } + ++static struct attr_policy osf_attr_policy[__NFTNL_EXPR_OSF_MAX] = { ++ [NFTNL_EXPR_OSF_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_OSF_TTL] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_EXPR_OSF_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_osf = { + .name = "osf", + .alloc_len = sizeof(struct nftnl_expr_osf), + .nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1, ++ .attr_policy = osf_attr_policy, + .set = nftnl_expr_osf_set, + .get = nftnl_expr_osf_get, + .parse = nftnl_expr_osf_parse, +diff --git a/src/expr/payload.c b/src/expr/payload.c +index 73cb188..76d38f7 100644 +--- a/src/expr/payload.c ++++ b/src/expr/payload.c +@@ -236,10 +236,22 @@ nftnl_expr_payload_snprintf(char *buf, size_t len, + payload->offset, payload->dreg); + } + ++static struct attr_policy payload_attr_policy[__NFTNL_EXPR_PAYLOAD_MAX] = { ++ [NFTNL_EXPR_PAYLOAD_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_PAYLOAD_BASE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_PAYLOAD_OFFSET] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_PAYLOAD_LEN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_PAYLOAD_SREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_PAYLOAD_CSUM_TYPE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_PAYLOAD_CSUM_OFFSET] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_PAYLOAD_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_payload = { + .name = "payload", + .alloc_len = sizeof(struct nftnl_expr_payload), + .nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1, ++ .attr_policy = payload_attr_policy, + .set = nftnl_expr_payload_set, + .get = nftnl_expr_payload_get, + .parse = nftnl_expr_payload_parse, +diff --git a/src/expr/queue.c b/src/expr/queue.c +index 3343dd4..54792ef 100644 +--- a/src/expr/queue.c ++++ b/src/expr/queue.c +@@ -183,10 +183,18 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy queue_attr_policy[__NFTNL_EXPR_QUEUE_MAX] = { ++ [NFTNL_EXPR_QUEUE_NUM] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_EXPR_QUEUE_TOTAL] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_EXPR_QUEUE_FLAGS] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_EXPR_QUEUE_SREG_QNUM] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_queue = { + .name = "queue", + .alloc_len = sizeof(struct nftnl_expr_queue), + .nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1, ++ .attr_policy = queue_attr_policy, + .set = nftnl_expr_queue_set, + .get = nftnl_expr_queue_get, + .parse = nftnl_expr_queue_parse, +diff --git a/src/expr/quota.c b/src/expr/quota.c +index 2a3a05a..60631fe 100644 +--- a/src/expr/quota.c ++++ b/src/expr/quota.c +@@ -137,10 +137,17 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len, + quota->bytes, quota->consumed, quota->flags); + } + ++static struct attr_policy quota_attr_policy[__NFTNL_EXPR_QUOTA_MAX] = { ++ [NFTNL_EXPR_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_EXPR_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) }, ++}; ++ + struct expr_ops expr_ops_quota = { + .name = "quota", + .alloc_len = sizeof(struct nftnl_expr_quota), + .nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1, ++ .attr_policy = quota_attr_policy, + .set = nftnl_expr_quota_set, + .get = nftnl_expr_quota_get, + .parse = nftnl_expr_quota_parse, +diff --git a/src/expr/range.c b/src/expr/range.c +index d0c52b9..6310b79 100644 +--- a/src/expr/range.c ++++ b/src/expr/range.c +@@ -199,10 +199,18 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy range_attr_policy[__NFTNL_EXPR_RANGE_MAX] = { ++ [NFTNL_EXPR_RANGE_SREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_RANGE_OP] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_RANGE_FROM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, ++ [NFTNL_EXPR_RANGE_TO_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, ++}; ++ + struct expr_ops expr_ops_range = { + .name = "range", + .alloc_len = sizeof(struct nftnl_expr_range), + .nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1, ++ .attr_policy = range_attr_policy, + .set = nftnl_expr_range_set, + .get = nftnl_expr_range_get, + .parse = nftnl_expr_range_parse, +diff --git a/src/expr/redir.c b/src/expr/redir.c +index a5a5e7d..69095bd 100644 +--- a/src/expr/redir.c ++++ b/src/expr/redir.c +@@ -157,10 +157,17 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy redir_attr_policy[__NFTNL_EXPR_REDIR_MAX] = { ++ [NFTNL_EXPR_REDIR_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_REDIR_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_REDIR_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_redir = { + .name = "redir", + .alloc_len = sizeof(struct nftnl_expr_redir), + .nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1, ++ .attr_policy = redir_attr_policy, + .set = nftnl_expr_redir_set, + .get = nftnl_expr_redir_get, + .parse = nftnl_expr_redir_parse, +diff --git a/src/expr/reject.c b/src/expr/reject.c +index 8a0653d..f97011a 100644 +--- a/src/expr/reject.c ++++ b/src/expr/reject.c +@@ -124,10 +124,16 @@ nftnl_expr_reject_snprintf(char *buf, size_t len, + reject->type, reject->icmp_code); + } + ++static struct attr_policy reject_attr_policy[__NFTNL_EXPR_REJECT_MAX] = { ++ [NFTNL_EXPR_REJECT_TYPE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_REJECT_CODE] = { .maxlen = sizeof(uint8_t) }, ++}; ++ + struct expr_ops expr_ops_reject = { + .name = "reject", + .alloc_len = sizeof(struct nftnl_expr_reject), + .nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1, ++ .attr_policy = reject_attr_policy, + .set = nftnl_expr_reject_set, + .get = nftnl_expr_reject_get, + .parse = nftnl_expr_reject_parse, +diff --git a/src/expr/rt.c b/src/expr/rt.c +index de2bd2f..0ab2556 100644 +--- a/src/expr/rt.c ++++ b/src/expr/rt.c +@@ -152,10 +152,16 @@ nftnl_expr_rt_snprintf(char *buf, size_t len, + return 0; + } + ++static struct attr_policy rt_attr_policy[__NFTNL_EXPR_RT_MAX] = { ++ [NFTNL_EXPR_RT_KEY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_RT_DREG] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_rt = { + .name = "rt", + .alloc_len = sizeof(struct nftnl_expr_rt), + .nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1, ++ .attr_policy = rt_attr_policy, + .set = nftnl_expr_rt_set, + .get = nftnl_expr_rt_get, + .parse = nftnl_expr_rt_parse, +diff --git a/src/expr/socket.c b/src/expr/socket.c +index 9b6c3ea..d0d8e23 100644 +--- a/src/expr/socket.c ++++ b/src/expr/socket.c +@@ -155,10 +155,17 @@ nftnl_expr_socket_snprintf(char *buf, size_t len, + return 0; + } + ++static struct attr_policy socket_attr_policy[__NFTNL_EXPR_SOCKET_MAX] = { ++ [NFTNL_EXPR_SOCKET_KEY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_SOCKET_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_SOCKET_LEVEL] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_socket = { + .name = "socket", + .alloc_len = sizeof(struct nftnl_expr_socket), + .nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1, ++ .attr_policy = socket_attr_policy, + .set = nftnl_expr_socket_set, + .get = nftnl_expr_socket_get, + .parse = nftnl_expr_socket_parse, +diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c +index dc25962..898d292 100644 +--- a/src/expr/synproxy.c ++++ b/src/expr/synproxy.c +@@ -144,10 +144,17 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len, + return offset; + } + ++static struct attr_policy synproxy_attr_policy[__NFTNL_EXPR_SYNPROXY_MAX] = { ++ [NFTNL_EXPR_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_EXPR_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_EXPR_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_synproxy = { + .name = "synproxy", + .alloc_len = sizeof(struct nftnl_expr_synproxy), + .nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1, ++ .attr_policy = synproxy_attr_policy, + .set = nftnl_expr_synproxy_set, + .get = nftnl_expr_synproxy_get, + .parse = nftnl_expr_synproxy_parse, +diff --git a/src/expr/target.c b/src/expr/target.c +index cc0566c..9bfd25b 100644 +--- a/src/expr/target.c ++++ b/src/expr/target.c +@@ -178,10 +178,17 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e) + xfree(target->data); + } + ++static struct attr_policy target_attr_policy[__NFTNL_EXPR_TG_MAX] = { ++ [NFTNL_EXPR_TG_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN }, ++ [NFTNL_EXPR_TG_REV] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_TG_INFO] = { .maxlen = 0 }, ++}; ++ + struct expr_ops expr_ops_target = { + .name = "target", + .alloc_len = sizeof(struct nftnl_expr_target), + .nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1, ++ .attr_policy = target_attr_policy, + .free = nftnl_expr_target_free, + .set = nftnl_expr_target_set, + .get = nftnl_expr_target_get, +diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c +index c6ed888..4948392 100644 +--- a/src/expr/tproxy.c ++++ b/src/expr/tproxy.c +@@ -160,10 +160,17 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy tproxy_attr_policy[__NFTNL_EXPR_TPROXY_MAX] = { ++ [NFTNL_EXPR_TPROXY_FAMILY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_TPROXY_REG_ADDR] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_TPROXY_REG_PORT] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_tproxy = { + .name = "tproxy", + .alloc_len = sizeof(struct nftnl_expr_tproxy), + .nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1, ++ .attr_policy = tproxy_attr_policy, + .set = nftnl_expr_tproxy_set, + .get = nftnl_expr_tproxy_get, + .parse = nftnl_expr_tproxy_parse, +diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c +index e59744b..8089d0b 100644 +--- a/src/expr/tunnel.c ++++ b/src/expr/tunnel.c +@@ -135,10 +135,16 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len, + return 0; + } + ++static struct attr_policy tunnel_attr_policy[__NFTNL_EXPR_TUNNEL_MAX] = { ++ [NFTNL_EXPR_TUNNEL_KEY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_TUNNEL_DREG] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_tunnel = { + .name = "tunnel", + .alloc_len = sizeof(struct nftnl_expr_tunnel), + .nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1, ++ .attr_policy = tunnel_attr_policy, + .set = nftnl_expr_tunnel_set, + .get = nftnl_expr_tunnel_get, + .parse = nftnl_expr_tunnel_parse, +diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c +index 3f4cb0a..dc867a2 100644 +--- a/src/expr/xfrm.c ++++ b/src/expr/xfrm.c +@@ -188,10 +188,19 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy xfrm_attr_policy[__NFTNL_EXPR_XFRM_MAX] = { ++ [NFTNL_EXPR_XFRM_DREG] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_XFRM_SREG] = { .maxlen = 0 }, ++ [NFTNL_EXPR_XFRM_KEY] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_EXPR_XFRM_DIR] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_EXPR_XFRM_SPNUM] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct expr_ops expr_ops_xfrm = { + .name = "xfrm", + .alloc_len = sizeof(struct nftnl_expr_xfrm), + .nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1, ++ .attr_policy = xfrm_attr_policy, + .set = nftnl_expr_xfrm_set, + .get = nftnl_expr_xfrm_get, + .parse = nftnl_expr_xfrm_parse, diff --git a/SOURCES/0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch b/SOURCES/0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch new file mode 100644 index 0000000..6d1175f --- /dev/null +++ b/SOURCES/0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch @@ -0,0 +1,48 @@ +From 244e36b93c9271e3dc9d4bbce5fa395f1db7e376 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] expr: Enforce attr_policy compliance in nftnl_expr_set() + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 62db596bf1f3dabffac3e0b9b0c3db487bfff828 + +commit 62db596bf1f3dabffac3e0b9b0c3db487bfff828 +Author: Phil Sutter +Date: Fri Dec 15 16:32:30 2023 +0100 + + expr: Enforce attr_policy compliance in nftnl_expr_set() + + Every expression type defines an attr_policy array, so deny setting + attributes if not present. Also deny if maxlen field is non-zero and + lower than the given data_len. + + Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO ) + or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero + maxlen "nop" is also used for deprecated attributes, just to not + silently ignore them. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/expr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/expr.c b/src/expr.c +index 74d211b..4e32189 100644 +--- a/src/expr.c ++++ b/src/expr.c +@@ -74,6 +74,13 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, + if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr) + return -1; + ++ if (!expr->ops->attr_policy) ++ return -1; ++ ++ if (expr->ops->attr_policy[type].maxlen && ++ expr->ops->attr_policy[type].maxlen < data_len) ++ return -1; ++ + if (expr->ops->set(expr, type, data, data_len) < 0) + return -1; + } diff --git a/SOURCES/0012-chain-Validate-NFTNL_CHAIN_USE-too.patch b/SOURCES/0012-chain-Validate-NFTNL_CHAIN_USE-too.patch new file mode 100644 index 0000000..30e1267 --- /dev/null +++ b/SOURCES/0012-chain-Validate-NFTNL_CHAIN_USE-too.patch @@ -0,0 +1,34 @@ +From d1ee302a2805a06e1d016a2f6c6c856df5c925b2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] chain: Validate NFTNL_CHAIN_USE, too + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 104b83489d96642752e774c59e54e816dee85f26 + +commit 104b83489d96642752e774c59e54e816dee85f26 +Author: Phil Sutter +Date: Thu Mar 14 17:22:14 2024 +0100 + + chain: Validate NFTNL_CHAIN_USE, too + + Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/chain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/chain.c b/src/chain.c +index dcfcd04..e0b1eaf 100644 +--- a/src/chain.c ++++ b/src/chain.c +@@ -196,6 +196,7 @@ static uint32_t nftnl_chain_validate[NFTNL_CHAIN_MAX + 1] = { + [NFTNL_CHAIN_HOOKNUM] = sizeof(uint32_t), + [NFTNL_CHAIN_PRIO] = sizeof(int32_t), + [NFTNL_CHAIN_POLICY] = sizeof(uint32_t), ++ [NFTNL_CHAIN_USE] = sizeof(uint32_t), + [NFTNL_CHAIN_BYTES] = sizeof(uint64_t), + [NFTNL_CHAIN_PACKETS] = sizeof(uint64_t), + [NFTNL_CHAIN_HANDLE] = sizeof(uint64_t), diff --git a/SOURCES/0013-table-Validate-NFTNL_TABLE_USE-too.patch b/SOURCES/0013-table-Validate-NFTNL_TABLE_USE-too.patch new file mode 100644 index 0000000..33d536c --- /dev/null +++ b/SOURCES/0013-table-Validate-NFTNL_TABLE_USE-too.patch @@ -0,0 +1,34 @@ +From aff3c03195ad34f4bc8d59ab031cd3ad5ba18f1b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] table: Validate NFTNL_TABLE_USE, too + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 8d3ed0716c619213916140e1ea42945f5202ea5c + +commit 8d3ed0716c619213916140e1ea42945f5202ea5c +Author: Phil Sutter +Date: Thu Mar 14 17:25:05 2024 +0100 + + table: Validate NFTNL_TABLE_USE, too + + Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/table.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/table.c b/src/table.c +index 59e7053..4a439ff 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -88,6 +88,7 @@ static uint32_t nftnl_table_validate[NFTNL_TABLE_MAX + 1] = { + [NFTNL_TABLE_FLAGS] = sizeof(uint32_t), + [NFTNL_TABLE_FAMILY] = sizeof(uint32_t), + [NFTNL_TABLE_HANDLE] = sizeof(uint64_t), ++ [NFTNL_TABLE_USE] = sizeof(uint32_t), + }; + + EXPORT_SYMBOL(nftnl_table_set_data); diff --git a/SOURCES/0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch b/SOURCES/0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch new file mode 100644 index 0000000..4a82770 --- /dev/null +++ b/SOURCES/0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch @@ -0,0 +1,34 @@ +From e0cfd83bb9e083dcb81cb1b94f8b5de5c5eb5a4d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] flowtable: Validate NFTNL_FLOWTABLE_SIZE, too + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit b8a502b359221c6fb9c35618550364e2ebf116fb + +commit b8a502b359221c6fb9c35618550364e2ebf116fb +Author: Phil Sutter +Date: Thu Mar 14 17:26:33 2024 +0100 + + flowtable: Validate NFTNL_FLOWTABLE_SIZE, too + + Fixes: cdaea7f1ced05 ("flowtable: allow to specify size") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/flowtable.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/flowtable.c b/src/flowtable.c +index e6c2475..2f37cd4 100644 +--- a/src/flowtable.c ++++ b/src/flowtable.c +@@ -102,6 +102,7 @@ static uint32_t nftnl_flowtable_validate[NFTNL_FLOWTABLE_MAX + 1] = { + [NFTNL_FLOWTABLE_HOOKNUM] = sizeof(uint32_t), + [NFTNL_FLOWTABLE_PRIO] = sizeof(int32_t), + [NFTNL_FLOWTABLE_FAMILY] = sizeof(uint32_t), ++ [NFTNL_FLOWTABLE_SIZE] = sizeof(uint32_t), + [NFTNL_FLOWTABLE_FLAGS] = sizeof(uint32_t), + [NFTNL_FLOWTABLE_HANDLE] = sizeof(uint64_t), + }; diff --git a/SOURCES/0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch b/SOURCES/0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch new file mode 100644 index 0000000..cf55633 --- /dev/null +++ b/SOURCES/0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch @@ -0,0 +1,34 @@ +From 5aca5c8f50c96303530bc7e3fdd16e20a683e1eb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] obj: Validate NFTNL_OBJ_TYPE, too + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 899920d66b7b2a11c381a95a65b059ff12b9afd6 + +commit 899920d66b7b2a11c381a95a65b059ff12b9afd6 +Author: Phil Sutter +Date: Thu Mar 14 17:28:15 2024 +0100 + + obj: Validate NFTNL_OBJ_TYPE, too + + Fixes: 5573d0146c1ae ("src: support for stateful objects") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/object.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/object.c b/src/object.c +index 232b97a..f498138 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -70,6 +70,7 @@ bool nftnl_obj_is_set(const struct nftnl_obj *obj, uint16_t attr) + } + + static uint32_t nftnl_obj_validate[NFTNL_OBJ_MAX + 1] = { ++ [NFTNL_OBJ_TYPE] = sizeof(uint32_t), + [NFTNL_OBJ_FAMILY] = sizeof(uint32_t), + [NFTNL_OBJ_USE] = sizeof(uint32_t), + [NFTNL_OBJ_HANDLE] = sizeof(uint64_t), diff --git a/SOURCES/0016-set-Validate-NFTNL_SET_ID-too.patch b/SOURCES/0016-set-Validate-NFTNL_SET_ID-too.patch new file mode 100644 index 0000000..44c8b4d --- /dev/null +++ b/SOURCES/0016-set-Validate-NFTNL_SET_ID-too.patch @@ -0,0 +1,34 @@ +From 5825541216d49668aa7d19fdffc4f5519e2f5ff0 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] set: Validate NFTNL_SET_ID, too + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit a9b4d07dfab235324d2efbaa242fcc5ed5efe4c1 + +commit a9b4d07dfab235324d2efbaa242fcc5ed5efe4c1 +Author: Phil Sutter +Date: Thu Mar 14 17:29:51 2024 +0100 + + set: Validate NFTNL_SET_ID, too + + Fixes: 26298a9ffc2e2 ("set: add set ID support") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/set.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/set.c b/src/set.c +index b51ff9e..a732bc0 100644 +--- a/src/set.c ++++ b/src/set.c +@@ -128,6 +128,7 @@ static uint32_t nftnl_set_validate[NFTNL_SET_MAX + 1] = { + [NFTNL_SET_DATA_LEN] = sizeof(uint32_t), + [NFTNL_SET_OBJ_TYPE] = sizeof(uint32_t), + [NFTNL_SET_FAMILY] = sizeof(uint32_t), ++ [NFTNL_SET_ID] = sizeof(uint32_t), + [NFTNL_SET_POLICY] = sizeof(uint32_t), + [NFTNL_SET_DESC_SIZE] = sizeof(uint32_t), + [NFTNL_SET_TIMEOUT] = sizeof(uint64_t), diff --git a/SOURCES/0017-table-Validate-NFTNL_TABLE_OWNER-too.patch b/SOURCES/0017-table-Validate-NFTNL_TABLE_OWNER-too.patch new file mode 100644 index 0000000..540495c --- /dev/null +++ b/SOURCES/0017-table-Validate-NFTNL_TABLE_OWNER-too.patch @@ -0,0 +1,34 @@ +From 63318c4320c8ad0670409cbabc7e97b05f85add4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] table: Validate NFTNL_TABLE_OWNER, too + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 08c9cab3352402c1a7d7952d1a2ce0a051f48b14 + +commit 08c9cab3352402c1a7d7952d1a2ce0a051f48b14 +Author: Phil Sutter +Date: Thu Mar 14 17:30:30 2024 +0100 + + table: Validate NFTNL_TABLE_OWNER, too + + Fixes: 985955fe41f53 ("table: add table owner support") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/table.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/table.c b/src/table.c +index 4a439ff..4f48e8c 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -89,6 +89,7 @@ static uint32_t nftnl_table_validate[NFTNL_TABLE_MAX + 1] = { + [NFTNL_TABLE_FAMILY] = sizeof(uint32_t), + [NFTNL_TABLE_HANDLE] = sizeof(uint64_t), + [NFTNL_TABLE_USE] = sizeof(uint32_t), ++ [NFTNL_TABLE_OWNER] = sizeof(uint32_t), + }; + + EXPORT_SYMBOL(nftnl_table_set_data); diff --git a/SOURCES/0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch b/SOURCES/0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch new file mode 100644 index 0000000..bfa34a3 --- /dev/null +++ b/SOURCES/0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch @@ -0,0 +1,38 @@ +From eaa75e076e56224f0d3946a65565a3f72503f091 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] obj: Do not call nftnl_obj_set_data() with zero data_len + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit a113d1ffb6405407d98430807f3534e64a71837e + +commit a113d1ffb6405407d98430807f3534e64a71837e +Author: Phil Sutter +Date: Thu Mar 14 16:44:34 2024 +0100 + + obj: Do not call nftnl_obj_set_data() with zero data_len + + Pass 'strlen() + 1' as length parameter when setting string attributes, + just like other string setters do. + + Fixes: 5573d0146c1ae ("src: support for stateful objects") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/object.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/object.c b/src/object.c +index f498138..e94236e 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -157,7 +157,7 @@ void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) + EXPORT_SYMBOL(nftnl_obj_set_str); + void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) + { +- nftnl_obj_set_data(obj, attr, str, 0); ++ nftnl_obj_set_data(obj, attr, str, strlen(str) + 1); + } + + EXPORT_SYMBOL(nftnl_obj_get_data); diff --git a/SOURCES/0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch b/SOURCES/0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch new file mode 100644 index 0000000..d7c25c2 --- /dev/null +++ b/SOURCES/0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch @@ -0,0 +1,47 @@ +From 1b3d689b39b1a43038c8872d80154ae1554304ca Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] obj: synproxy: Use memcpy() to handle potentially unaligned + data + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 721fe5702591d94b6dde1a2cc368986fb70626a8 + +commit 721fe5702591d94b6dde1a2cc368986fb70626a8 +Author: Phil Sutter +Date: Thu Mar 7 14:16:05 2024 +0100 + + obj: synproxy: Use memcpy() to handle potentially unaligned data + + Analogous to commit dc240913458d5 ("src: Use memcpy() to handle + potentially unaligned data"). + + Fixes: 609a13fc2999e ("src: synproxy stateful object support") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/obj/synproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c +index baef5c2..4ef97ec 100644 +--- a/src/obj/synproxy.c ++++ b/src/obj/synproxy.c +@@ -19,13 +19,13 @@ static int nftnl_obj_synproxy_set(struct nftnl_obj *e, uint16_t type, + + switch (type) { + case NFTNL_OBJ_SYNPROXY_MSS: +- synproxy->mss = *((uint16_t *)data); ++ memcpy(&synproxy->mss, data, data_len); + break; + case NFTNL_OBJ_SYNPROXY_WSCALE: +- synproxy->wscale = *((uint8_t *)data); ++ memcpy(&synproxy->wscale, data, data_len); + break; + case NFTNL_OBJ_SYNPROXY_FLAGS: +- synproxy->flags = *((uint32_t *)data); ++ memcpy(&synproxy->flags, data, data_len); + break; + default: + return -1; diff --git a/SOURCES/0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch b/SOURCES/0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch new file mode 100644 index 0000000..f1f74c3 --- /dev/null +++ b/SOURCES/0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch @@ -0,0 +1,49 @@ +From c0bdff70b2188ee6ab9375333cdaac39abfaeb8c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] utils: Fix for wrong variable use in nftnl_assert_validate() + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 8b9b16b3658ed035523156198798b5f29c808c78 + +commit 8b9b16b3658ed035523156198798b5f29c808c78 +Author: Phil Sutter +Date: Thu Mar 7 13:59:00 2024 +0100 + + utils: Fix for wrong variable use in nftnl_assert_validate() + + This worked by accident as all callers passed a local variable 'attr' as + parameter '_attr'. + + Fixes: 7756d31990cd4 ("src: add assertion infrastructure to validate attribute types") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + include/utils.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/include/utils.h b/include/utils.h +index 8af5a8e..ca12d25 100644 +--- a/include/utils.h ++++ b/include/utils.h +@@ -37,9 +37,9 @@ void __nftnl_assert_fail(uint16_t attr, const char *filename, int line); + #define nftnl_assert_validate(data, _validate_array, _attr, _data_len) \ + ({ \ + if (!data) \ +- __nftnl_assert_fail(attr, __FILE__, __LINE__); \ ++ __nftnl_assert_fail(_attr, __FILE__, __LINE__); \ + if (_validate_array[_attr]) \ +- nftnl_assert(data, attr, _validate_array[_attr] == _data_len); \ ++ nftnl_assert(data, _attr, _validate_array[_attr] == _data_len); \ + }) + + void __nftnl_assert_attr_exists(uint16_t attr, uint16_t attr_max, +@@ -98,4 +98,7 @@ int nftnl_fprintf(FILE *fpconst, const void *obj, uint32_t cmd, uint32_t type, + uint32_t cmd, uint32_t type, + uint32_t flags)); + ++int nftnl_set_str_attr(const char **dptr, uint32_t *flags, ++ uint16_t attr, const void *data, uint32_t data_len); ++ + #endif diff --git a/SOURCES/0021-object-getters-take-const-struct.patch b/SOURCES/0021-object-getters-take-const-struct.patch new file mode 100644 index 0000000..b73f1b1 --- /dev/null +++ b/SOURCES/0021-object-getters-take-const-struct.patch @@ -0,0 +1,116 @@ +From 85918467438e340b81386b9cc709ba6e88ff860b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:40 +0200 +Subject: [PATCH] object: getters take const struct + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit ff117f50d2f99c03a65b4952b1a6988a8adc700f + +commit ff117f50d2f99c03a65b4952b1a6988a8adc700f +Author: corubba +Date: Sat Dec 9 23:03:01 2023 +0100 + + object: getters take const struct + + As with all the other entities (like table or set), the getter functions + for objects now take a `const struct nftnl_obj*` as first parameter. + The getters for all specific object types (like counter or limit), which + are called in the default switch-case, already do. + + Signed-off-by: corubba + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/libnftnl/object.h | 14 +++++++------- + src/object.c | 14 +++++++------- + 2 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h +index 9bd83a5..4b2d90f 100644 +--- a/include/libnftnl/object.h ++++ b/include/libnftnl/object.h +@@ -131,14 +131,14 @@ void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); + void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); + void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); + void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); +-const void *nftnl_obj_get_data(struct nftnl_obj *ne, uint16_t attr, ++const void *nftnl_obj_get_data(const struct nftnl_obj *ne, uint16_t attr, + uint32_t *data_len); +-const void *nftnl_obj_get(struct nftnl_obj *ne, uint16_t attr); +-uint8_t nftnl_obj_get_u8(struct nftnl_obj *ne, uint16_t attr); +-uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr); +-uint32_t nftnl_obj_get_u32(struct nftnl_obj *ne, uint16_t attr); +-uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr); +-const char *nftnl_obj_get_str(struct nftnl_obj *ne, uint16_t attr); ++const void *nftnl_obj_get(const struct nftnl_obj *ne, uint16_t attr); ++uint8_t nftnl_obj_get_u8(const struct nftnl_obj *ne, uint16_t attr); ++uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr); ++uint32_t nftnl_obj_get_u32(const struct nftnl_obj *ne, uint16_t attr); ++uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr); ++const char *nftnl_obj_get_str(const struct nftnl_obj *ne, uint16_t attr); + + void nftnl_obj_nlmsg_build_payload(struct nlmsghdr *nlh, + const struct nftnl_obj *ne); +diff --git a/src/object.c b/src/object.c +index e94236e..a1a00d8 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -161,7 +161,7 @@ void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) + } + + EXPORT_SYMBOL(nftnl_obj_get_data); +-const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, ++const void *nftnl_obj_get_data(const struct nftnl_obj *obj, uint16_t attr, + uint32_t *data_len) + { + if (!(obj->flags & (1 << attr))) +@@ -199,42 +199,42 @@ const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, + } + + EXPORT_SYMBOL(nftnl_obj_get); +-const void *nftnl_obj_get(struct nftnl_obj *obj, uint16_t attr) ++const void *nftnl_obj_get(const struct nftnl_obj *obj, uint16_t attr) + { + uint32_t data_len; + return nftnl_obj_get_data(obj, attr, &data_len); + } + + EXPORT_SYMBOL(nftnl_obj_get_u8); +-uint8_t nftnl_obj_get_u8(struct nftnl_obj *obj, uint16_t attr) ++uint8_t nftnl_obj_get_u8(const struct nftnl_obj *obj, uint16_t attr) + { + const void *ret = nftnl_obj_get(obj, attr); + return ret == NULL ? 0 : *((uint8_t *)ret); + } + + EXPORT_SYMBOL(nftnl_obj_get_u16); +-uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr) ++uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr) + { + const void *ret = nftnl_obj_get(obj, attr); + return ret == NULL ? 0 : *((uint16_t *)ret); + } + + EXPORT_SYMBOL(nftnl_obj_get_u32); +-uint32_t nftnl_obj_get_u32(struct nftnl_obj *obj, uint16_t attr) ++uint32_t nftnl_obj_get_u32(const struct nftnl_obj *obj, uint16_t attr) + { + const void *ret = nftnl_obj_get(obj, attr); + return ret == NULL ? 0 : *((uint32_t *)ret); + } + + EXPORT_SYMBOL(nftnl_obj_get_u64); +-uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr) ++uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr) + { + const void *ret = nftnl_obj_get(obj, attr); + return ret == NULL ? 0 : *((uint64_t *)ret); + } + + EXPORT_SYMBOL(nftnl_obj_get_str); +-const char *nftnl_obj_get_str(struct nftnl_obj *obj, uint16_t attr) ++const char *nftnl_obj_get_str(const struct nftnl_obj *obj, uint16_t attr) + { + return nftnl_obj_get(obj, attr); + } diff --git a/SOURCES/0022-obj-Return-value-on-setters.patch b/SOURCES/0022-obj-Return-value-on-setters.patch new file mode 100644 index 0000000..c5bd886 --- /dev/null +++ b/SOURCES/0022-obj-Return-value-on-setters.patch @@ -0,0 +1,157 @@ +From 7275fc782f822451b2cba5414037e1b0a1a59bf5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:41 +0200 +Subject: [PATCH] obj: Return value on setters + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 691f90223712426a2babdb55d7e5526b7310ca6e + +commit 691f90223712426a2babdb55d7e5526b7310ca6e +Author: Phil Sutter +Date: Thu Mar 14 16:54:55 2024 +0100 + + obj: Return value on setters + + Similar to other setters, let callers know if memory allocation fails. + Though return value with all setters, as all of them may be used to set + object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE + was not set before). + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + include/libnftnl/object.h | 14 ++++++------- + src/object.c | 41 +++++++++++++++++++++++---------------- + 2 files changed, 31 insertions(+), 24 deletions(-) + +diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h +index 4b2d90f..e235fdf 100644 +--- a/include/libnftnl/object.h ++++ b/include/libnftnl/object.h +@@ -123,14 +123,14 @@ void nftnl_obj_free(const struct nftnl_obj *ne); + + bool nftnl_obj_is_set(const struct nftnl_obj *ne, uint16_t attr); + void nftnl_obj_unset(struct nftnl_obj *ne, uint16_t attr); +-void nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data, +- uint32_t data_len); ++int nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data, ++ uint32_t data_len); + void nftnl_obj_set(struct nftnl_obj *ne, uint16_t attr, const void *data) __attribute__((deprecated)); +-void nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val); +-void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); +-void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); +-void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); +-void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); ++int nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val); ++int nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); ++int nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); ++int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); ++int nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); + const void *nftnl_obj_get_data(const struct nftnl_obj *ne, uint16_t attr, + uint32_t *data_len); + const void *nftnl_obj_get(const struct nftnl_obj *ne, uint16_t attr); +diff --git a/src/object.c b/src/object.c +index a1a00d8..30e5ee8 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -77,8 +77,8 @@ static uint32_t nftnl_obj_validate[NFTNL_OBJ_MAX + 1] = { + }; + + EXPORT_SYMBOL(nftnl_obj_set_data); +-void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, +- const void *data, uint32_t data_len) ++int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, ++ const void *data, uint32_t data_len) + { + if (attr < NFTNL_OBJ_MAX) + nftnl_assert_validate(data, nftnl_obj_validate, attr, data_len); +@@ -87,15 +87,19 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, + case NFTNL_OBJ_TABLE: + xfree(obj->table); + obj->table = strdup(data); ++ if (!obj->table) ++ return -1; + break; + case NFTNL_OBJ_NAME: + xfree(obj->name); + obj->name = strdup(data); ++ if (!obj->name) ++ return -1; + break; + case NFTNL_OBJ_TYPE: + obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data)); + if (!obj->ops) +- return; ++ return -1; + break; + case NFTNL_OBJ_FAMILY: + memcpy(&obj->family, data, sizeof(obj->family)); +@@ -112,16 +116,19 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, + + obj->user.data = malloc(data_len); + if (!obj->user.data) +- return; ++ return -1; + memcpy(obj->user.data, data, data_len); + obj->user.len = data_len; + break; + default: +- if (obj->ops) +- obj->ops->set(obj, attr, data, data_len); +- break; ++ if (!obj->ops) ++ return -1; ++ ++ if (obj->ops->set(obj, attr, data, data_len) < 0) ++ return -1; + } + obj->flags |= (1 << attr); ++ return 0; + } + + void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) __visible; +@@ -131,33 +138,33 @@ void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) + } + + EXPORT_SYMBOL(nftnl_obj_set_u8); +-void nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val) ++int nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val) + { +- nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t)); ++ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t)); + } + + EXPORT_SYMBOL(nftnl_obj_set_u16); +-void nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val) ++int nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val) + { +- nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t)); ++ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t)); + } + + EXPORT_SYMBOL(nftnl_obj_set_u32); +-void nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val) ++int nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val) + { +- nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t)); ++ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t)); + } + + EXPORT_SYMBOL(nftnl_obj_set_u64); +-void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) ++int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) + { +- nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t)); ++ return nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t)); + } + + EXPORT_SYMBOL(nftnl_obj_set_str); +-void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) ++int nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) + { +- nftnl_obj_set_data(obj, attr, str, strlen(str) + 1); ++ return nftnl_obj_set_data(obj, attr, str, strlen(str) + 1); + } + + EXPORT_SYMBOL(nftnl_obj_get_data); diff --git a/SOURCES/0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch b/SOURCES/0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch new file mode 100644 index 0000000..0b31e82 --- /dev/null +++ b/SOURCES/0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch @@ -0,0 +1,234 @@ +From 4a180882136a860773c86c507805ef01eb757dd8 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:41 +0200 +Subject: [PATCH] obj: Repurpose struct obj_ops::max_attr field + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit df4e259c0537fff58ecdc7b3ec1546fb2da93968 + +commit df4e259c0537fff58ecdc7b3ec1546fb2da93968 +Author: Phil Sutter +Date: Thu Mar 7 13:15:22 2024 +0100 + + obj: Repurpose struct obj_ops::max_attr field + + Just like with struct expr_ops::max_attr, make it hold the maximum + object attribute (NFTNL_OBJ_*) value supported by this object type. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + include/libnftnl/object.h | 9 +++++++++ + include/obj.h | 2 +- + src/obj/counter.c | 2 +- + src/obj/ct_expect.c | 2 +- + src/obj/ct_helper.c | 2 +- + src/obj/ct_timeout.c | 2 +- + src/obj/limit.c | 2 +- + src/obj/quota.c | 2 +- + src/obj/secmark.c | 2 +- + src/obj/synproxy.c | 2 +- + src/obj/tunnel.c | 2 +- + 11 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h +index e235fdf..9930355 100644 +--- a/include/libnftnl/object.h ++++ b/include/libnftnl/object.h +@@ -28,18 +28,21 @@ enum { + enum { + NFTNL_OBJ_CTR_PKTS = NFTNL_OBJ_BASE, + NFTNL_OBJ_CTR_BYTES, ++ __NFTNL_OBJ_CTR_MAX, + }; + + enum { + NFTNL_OBJ_QUOTA_BYTES = NFTNL_OBJ_BASE, + NFTNL_OBJ_QUOTA_CONSUMED, + NFTNL_OBJ_QUOTA_FLAGS, ++ __NFTNL_OBJ_QUOTA_MAX, + }; + + enum { + NFTNL_OBJ_CT_HELPER_NAME = NFTNL_OBJ_BASE, + NFTNL_OBJ_CT_HELPER_L3PROTO, + NFTNL_OBJ_CT_HELPER_L4PROTO, ++ __NFTNL_OBJ_CT_HELPER_MAX, + }; + + enum nftnl_cttimeout_array_tcp { +@@ -69,6 +72,7 @@ enum { + NFTNL_OBJ_CT_TIMEOUT_L3PROTO = NFTNL_OBJ_BASE, + NFTNL_OBJ_CT_TIMEOUT_L4PROTO, + NFTNL_OBJ_CT_TIMEOUT_ARRAY, ++ __NFTNL_OBJ_CT_TIMEOUT_MAX, + }; + + enum { +@@ -77,6 +81,7 @@ enum { + NFTNL_OBJ_CT_EXPECT_DPORT, + NFTNL_OBJ_CT_EXPECT_TIMEOUT, + NFTNL_OBJ_CT_EXPECT_SIZE, ++ __NFTNL_OBJ_CT_EXPECT_MAX, + }; + + enum { +@@ -85,12 +90,14 @@ enum { + NFTNL_OBJ_LIMIT_BURST, + NFTNL_OBJ_LIMIT_TYPE, + NFTNL_OBJ_LIMIT_FLAGS, ++ __NFTNL_OBJ_LIMIT_MAX, + }; + + enum { + NFTNL_OBJ_SYNPROXY_MSS = NFTNL_OBJ_BASE, + NFTNL_OBJ_SYNPROXY_WSCALE, + NFTNL_OBJ_SYNPROXY_FLAGS, ++ __NFTNL_OBJ_SYNPROXY_MAX, + }; + + enum { +@@ -110,10 +117,12 @@ enum { + NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX, + NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID, + NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR, ++ __NFTNL_OBJ_TUNNEL_MAX, + }; + + enum { + NFTNL_OBJ_SECMARK_CTX = NFTNL_OBJ_BASE, ++ __NFTNL_OBJ_SECMARK_MAX, + }; + + struct nftnl_obj; +diff --git a/include/obj.h b/include/obj.h +index d848ac9..6d2af8d 100644 +--- a/include/obj.h ++++ b/include/obj.h +@@ -104,7 +104,7 @@ struct obj_ops { + const char *name; + uint32_t type; + size_t alloc_len; +- int max_attr; ++ int nftnl_max_attr; + int (*set)(struct nftnl_obj *e, uint16_t type, const void *data, uint32_t data_len); + const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len); + int (*parse)(struct nftnl_obj *e, struct nlattr *attr); +diff --git a/src/obj/counter.c b/src/obj/counter.c +index ebf3e74..76a1b20 100644 +--- a/src/obj/counter.c ++++ b/src/obj/counter.c +@@ -122,7 +122,7 @@ struct obj_ops obj_ops_counter = { + .name = "counter", + .type = NFT_OBJECT_COUNTER, + .alloc_len = sizeof(struct nftnl_obj_counter), +- .max_attr = NFTA_COUNTER_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_CTR_MAX - 1, + .set = nftnl_obj_counter_set, + .get = nftnl_obj_counter_get, + .parse = nftnl_obj_counter_parse, +diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c +index 810ba9a..7e9c5e1 100644 +--- a/src/obj/ct_expect.c ++++ b/src/obj/ct_expect.c +@@ -191,7 +191,7 @@ struct obj_ops obj_ops_ct_expect = { + .name = "ct_expect", + .type = NFT_OBJECT_CT_EXPECT, + .alloc_len = sizeof(struct nftnl_obj_ct_expect), +- .max_attr = NFTA_CT_EXPECT_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_CT_EXPECT_MAX - 1, + .set = nftnl_obj_ct_expect_set, + .get = nftnl_obj_ct_expect_get, + .parse = nftnl_obj_ct_expect_parse, +diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c +index a31bd6f..f8aa734 100644 +--- a/src/obj/ct_helper.c ++++ b/src/obj/ct_helper.c +@@ -145,7 +145,7 @@ struct obj_ops obj_ops_ct_helper = { + .name = "ct_helper", + .type = NFT_OBJECT_CT_HELPER, + .alloc_len = sizeof(struct nftnl_obj_ct_helper), +- .max_attr = NFTA_CT_HELPER_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_CT_HELPER_MAX - 1, + .set = nftnl_obj_ct_helper_set, + .get = nftnl_obj_ct_helper_get, + .parse = nftnl_obj_ct_helper_parse, +diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c +index fedf9e3..ee86231 100644 +--- a/src/obj/ct_timeout.c ++++ b/src/obj/ct_timeout.c +@@ -314,7 +314,7 @@ struct obj_ops obj_ops_ct_timeout = { + .name = "ct_timeout", + .type = NFT_OBJECT_CT_TIMEOUT, + .alloc_len = sizeof(struct nftnl_obj_ct_timeout), +- .max_attr = NFTA_CT_TIMEOUT_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_CT_TIMEOUT_MAX - 1, + .set = nftnl_obj_ct_timeout_set, + .get = nftnl_obj_ct_timeout_get, + .parse = nftnl_obj_ct_timeout_parse, +diff --git a/src/obj/limit.c b/src/obj/limit.c +index d7b1aed..1c54bbc 100644 +--- a/src/obj/limit.c ++++ b/src/obj/limit.c +@@ -163,7 +163,7 @@ struct obj_ops obj_ops_limit = { + .name = "limit", + .type = NFT_OBJECT_LIMIT, + .alloc_len = sizeof(struct nftnl_obj_limit), +- .max_attr = NFTA_LIMIT_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_LIMIT_MAX - 1, + .set = nftnl_obj_limit_set, + .get = nftnl_obj_limit_get, + .parse = nftnl_obj_limit_parse, +diff --git a/src/obj/quota.c b/src/obj/quota.c +index 6c7559a..a39d552 100644 +--- a/src/obj/quota.c ++++ b/src/obj/quota.c +@@ -139,7 +139,7 @@ struct obj_ops obj_ops_quota = { + .name = "quota", + .type = NFT_OBJECT_QUOTA, + .alloc_len = sizeof(struct nftnl_obj_quota), +- .max_attr = NFTA_QUOTA_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_QUOTA_MAX - 1, + .set = nftnl_obj_quota_set, + .get = nftnl_obj_quota_get, + .parse = nftnl_obj_quota_parse, +diff --git a/src/obj/secmark.c b/src/obj/secmark.c +index e5c24b3..c78e35f 100644 +--- a/src/obj/secmark.c ++++ b/src/obj/secmark.c +@@ -111,7 +111,7 @@ struct obj_ops obj_ops_secmark = { + .name = "secmark", + .type = NFT_OBJECT_SECMARK, + .alloc_len = sizeof(struct nftnl_obj_secmark), +- .max_attr = NFTA_SECMARK_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_SECMARK_MAX - 1, + .set = nftnl_obj_secmark_set, + .get = nftnl_obj_secmark_get, + .parse = nftnl_obj_secmark_parse, +diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c +index 4ef97ec..d259a51 100644 +--- a/src/obj/synproxy.c ++++ b/src/obj/synproxy.c +@@ -138,7 +138,7 @@ struct obj_ops obj_ops_synproxy = { + .name = "synproxy", + .type = NFT_OBJECT_SYNPROXY, + .alloc_len = sizeof(struct nftnl_obj_synproxy), +- .max_attr = NFTA_SYNPROXY_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_SYNPROXY_MAX - 1, + .set = nftnl_obj_synproxy_set, + .get = nftnl_obj_synproxy_get, + .parse = nftnl_obj_synproxy_parse, +diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c +index d2503dc..19a3639 100644 +--- a/src/obj/tunnel.c ++++ b/src/obj/tunnel.c +@@ -542,7 +542,7 @@ struct obj_ops obj_ops_tunnel = { + .name = "tunnel", + .type = NFT_OBJECT_TUNNEL, + .alloc_len = sizeof(struct nftnl_obj_tunnel), +- .max_attr = NFTA_TUNNEL_KEY_MAX, ++ .nftnl_max_attr = __NFTNL_OBJ_TUNNEL_MAX - 1, + .set = nftnl_obj_tunnel_set, + .get = nftnl_obj_tunnel_get, + .parse = nftnl_obj_tunnel_parse, diff --git a/SOURCES/0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch b/SOURCES/0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch new file mode 100644 index 0000000..5dbb98d --- /dev/null +++ b/SOURCES/0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch @@ -0,0 +1,168 @@ +From 0203ccf90e6f8a246a5a071e903ab0d89acf2bad Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:41 +0200 +Subject: [PATCH] obj: Call obj_ops::set with legal attributes only + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 410c245e4811d7888daa456547af58d93d1c63b4 + +commit 410c245e4811d7888daa456547af58d93d1c63b4 +Author: Phil Sutter +Date: Thu Mar 7 13:25:31 2024 +0100 + + obj: Call obj_ops::set with legal attributes only + + Refer to obj_ops::nftnl_max_attr field value for the maximum supported + attribute value to reject invalid ones upfront. + + Consequently drop default cases from callbacks' switches which handle + all supported attributes. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/obj/counter.c | 2 -- + src/obj/ct_expect.c | 2 -- + src/obj/ct_helper.c | 2 -- + src/obj/ct_timeout.c | 2 -- + src/obj/limit.c | 2 -- + src/obj/quota.c | 2 -- + src/obj/secmark.c | 2 -- + src/obj/synproxy.c | 2 -- + src/obj/tunnel.c | 2 -- + src/object.c | 4 +++- + 10 files changed, 3 insertions(+), 19 deletions(-) + +diff --git a/src/obj/counter.c b/src/obj/counter.c +index 76a1b20..982da2c 100644 +--- a/src/obj/counter.c ++++ b/src/obj/counter.c +@@ -34,8 +34,6 @@ nftnl_obj_counter_set(struct nftnl_obj *e, uint16_t type, + case NFTNL_OBJ_CTR_PKTS: + memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c +index 7e9c5e1..60014dc 100644 +--- a/src/obj/ct_expect.c ++++ b/src/obj/ct_expect.c +@@ -35,8 +35,6 @@ static int nftnl_obj_ct_expect_set(struct nftnl_obj *e, uint16_t type, + case NFTNL_OBJ_CT_EXPECT_SIZE: + memcpy(&exp->size, data, sizeof(exp->size)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c +index f8aa734..b8b05fd 100644 +--- a/src/obj/ct_helper.c ++++ b/src/obj/ct_helper.c +@@ -37,8 +37,6 @@ static int nftnl_obj_ct_helper_set(struct nftnl_obj *e, uint16_t type, + case NFTNL_OBJ_CT_HELPER_L4PROTO: + memcpy(&helper->l4proto, data, sizeof(helper->l4proto)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c +index ee86231..011d928 100644 +--- a/src/obj/ct_timeout.c ++++ b/src/obj/ct_timeout.c +@@ -162,8 +162,6 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type, + memcpy(timeout->timeout, data, + sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/obj/limit.c b/src/obj/limit.c +index 1c54bbc..83cb193 100644 +--- a/src/obj/limit.c ++++ b/src/obj/limit.c +@@ -42,8 +42,6 @@ static int nftnl_obj_limit_set(struct nftnl_obj *e, uint16_t type, + case NFTNL_OBJ_LIMIT_FLAGS: + memcpy(&limit->flags, data, sizeof(limit->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/obj/quota.c b/src/obj/quota.c +index a39d552..665d7ca 100644 +--- a/src/obj/quota.c ++++ b/src/obj/quota.c +@@ -36,8 +36,6 @@ static int nftnl_obj_quota_set(struct nftnl_obj *e, uint16_t type, + case NFTNL_OBJ_QUOTA_FLAGS: + memcpy("a->flags, data, sizeof(quota->flags)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/obj/secmark.c b/src/obj/secmark.c +index c78e35f..83cd1dc 100644 +--- a/src/obj/secmark.c ++++ b/src/obj/secmark.c +@@ -30,8 +30,6 @@ static int nftnl_obj_secmark_set(struct nftnl_obj *e, uint16_t type, + case NFTNL_OBJ_SECMARK_CTX: + snprintf(secmark->ctx, sizeof(secmark->ctx), "%s", (const char *)data); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c +index d259a51..f7c7762 100644 +--- a/src/obj/synproxy.c ++++ b/src/obj/synproxy.c +@@ -27,8 +27,6 @@ static int nftnl_obj_synproxy_set(struct nftnl_obj *e, uint16_t type, + case NFTNL_OBJ_SYNPROXY_FLAGS: + memcpy(&synproxy->flags, data, data_len); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c +index 19a3639..72985ee 100644 +--- a/src/obj/tunnel.c ++++ b/src/obj/tunnel.c +@@ -76,8 +76,6 @@ nftnl_obj_tunnel_set(struct nftnl_obj *e, uint16_t type, + case NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR: + memcpy(&tun->u.tun_erspan.u.v2.dir, data, sizeof(tun->u.tun_erspan.u.v2.dir)); + break; +- default: +- return -1; + } + return 0; + } +diff --git a/src/object.c b/src/object.c +index 30e5ee8..52a184e 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -121,7 +121,9 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, + obj->user.len = data_len; + break; + default: +- if (!obj->ops) ++ if (!obj->ops || ++ attr < NFTNL_OBJ_BASE || ++ attr > obj->ops->nftnl_max_attr) + return -1; + + if (obj->ops->set(obj, attr, data, data_len) < 0) diff --git a/SOURCES/0025-obj-Introduce-struct-obj_ops-attr_policy.patch b/SOURCES/0025-obj-Introduce-struct-obj_ops-attr_policy.patch new file mode 100644 index 0000000..72c9453 --- /dev/null +++ b/SOURCES/0025-obj-Introduce-struct-obj_ops-attr_policy.patch @@ -0,0 +1,272 @@ +From 569a847a23ba79cf67570fc44569cdb3c816f027 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:41 +0200 +Subject: [PATCH] obj: Introduce struct obj_ops::attr_policy + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit f8348db87791bb8061b7f9ecf856e835ab74d006 + +commit f8348db87791bb8061b7f9ecf856e835ab74d006 +Author: Phil Sutter +Date: Thu Mar 7 13:46:26 2024 +0100 + + obj: Introduce struct obj_ops::attr_policy + + Just like with struct expr_ops::attr_policy, enable object types to + inform about restrictions on attribute use. This way generic object code + may perform sanity checks before dispatching to object ops. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + include/obj.h | 1 + + src/obj/counter.c | 6 ++++++ + src/obj/ct_expect.c | 10 ++++++++++ + src/obj/ct_helper.c | 11 +++++++++++ + src/obj/ct_timeout.c | 7 +++++++ + src/obj/limit.c | 9 +++++++++ + src/obj/quota.c | 7 +++++++ + src/obj/secmark.c | 5 +++++ + src/obj/synproxy.c | 7 +++++++ + src/obj/tunnel.c | 20 ++++++++++++++++++++ + 10 files changed, 83 insertions(+) + +diff --git a/include/obj.h b/include/obj.h +index 6d2af8d..d217737 100644 +--- a/include/obj.h ++++ b/include/obj.h +@@ -105,6 +105,7 @@ struct obj_ops { + uint32_t type; + size_t alloc_len; + int nftnl_max_attr; ++ struct attr_policy *attr_policy; + int (*set)(struct nftnl_obj *e, uint16_t type, const void *data, uint32_t data_len); + const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len); + int (*parse)(struct nftnl_obj *e, struct nlattr *attr); +diff --git a/src/obj/counter.c b/src/obj/counter.c +index 982da2c..44524d7 100644 +--- a/src/obj/counter.c ++++ b/src/obj/counter.c +@@ -116,11 +116,17 @@ static int nftnl_obj_counter_snprintf(char *buf, size_t len, uint32_t flags, + ctr->pkts, ctr->bytes); + } + ++static struct attr_policy obj_ctr_attr_policy[__NFTNL_OBJ_CTR_MAX] = { ++ [NFTNL_OBJ_CTR_BYTES] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_OBJ_CTR_PKTS] = { .maxlen = sizeof(uint64_t) }, ++}; ++ + struct obj_ops obj_ops_counter = { + .name = "counter", + .type = NFT_OBJECT_COUNTER, + .alloc_len = sizeof(struct nftnl_obj_counter), + .nftnl_max_attr = __NFTNL_OBJ_CTR_MAX - 1, ++ .attr_policy = obj_ctr_attr_policy, + .set = nftnl_obj_counter_set, + .get = nftnl_obj_counter_get, + .parse = nftnl_obj_counter_parse, +diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c +index 60014dc..978af15 100644 +--- a/src/obj/ct_expect.c ++++ b/src/obj/ct_expect.c +@@ -185,11 +185,21 @@ static int nftnl_obj_ct_expect_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy ++obj_ct_expect_attr_policy[__NFTNL_OBJ_CT_EXPECT_MAX] = { ++ [NFTNL_OBJ_CT_EXPECT_L3PROTO] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_OBJ_CT_EXPECT_L4PROTO] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_OBJ_CT_EXPECT_DPORT] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_OBJ_CT_EXPECT_TIMEOUT] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_CT_EXPECT_SIZE] = { .maxlen = sizeof(uint8_t) }, ++}; ++ + struct obj_ops obj_ops_ct_expect = { + .name = "ct_expect", + .type = NFT_OBJECT_CT_EXPECT, + .alloc_len = sizeof(struct nftnl_obj_ct_expect), + .nftnl_max_attr = __NFTNL_OBJ_CT_EXPECT_MAX - 1, ++ .attr_policy = obj_ct_expect_attr_policy, + .set = nftnl_obj_ct_expect_set, + .get = nftnl_obj_ct_expect_get, + .parse = nftnl_obj_ct_expect_parse, +diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c +index b8b05fd..aa8e926 100644 +--- a/src/obj/ct_helper.c ++++ b/src/obj/ct_helper.c +@@ -139,11 +139,22 @@ static int nftnl_obj_ct_helper_snprintf(char *buf, size_t len, + helper->name, helper->l3proto, helper->l4proto); + } + ++/* from kernel's include/net/netfilter/nf_conntrack_helper.h */ ++#define NF_CT_HELPER_NAME_LEN 16 ++ ++static struct attr_policy ++obj_ct_helper_attr_policy[__NFTNL_OBJ_CT_HELPER_MAX] = { ++ [NFTNL_OBJ_CT_HELPER_NAME] = { .maxlen = NF_CT_HELPER_NAME_LEN }, ++ [NFTNL_OBJ_CT_HELPER_L3PROTO] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_OBJ_CT_HELPER_L4PROTO] = { .maxlen = sizeof(uint8_t) }, ++}; ++ + struct obj_ops obj_ops_ct_helper = { + .name = "ct_helper", + .type = NFT_OBJECT_CT_HELPER, + .alloc_len = sizeof(struct nftnl_obj_ct_helper), + .nftnl_max_attr = __NFTNL_OBJ_CT_HELPER_MAX - 1, ++ .attr_policy = obj_ct_helper_attr_policy, + .set = nftnl_obj_ct_helper_set, + .get = nftnl_obj_ct_helper_get, + .parse = nftnl_obj_ct_helper_parse, +diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c +index 011d928..88522d8 100644 +--- a/src/obj/ct_timeout.c ++++ b/src/obj/ct_timeout.c +@@ -308,11 +308,18 @@ static int nftnl_obj_ct_timeout_snprintf(char *buf, size_t remain, + return offset; + } + ++static struct attr_policy ++obj_ct_timeout_attr_policy[__NFTNL_OBJ_CT_TIMEOUT_MAX] = { ++ [NFTNL_OBJ_CT_TIMEOUT_L3PROTO] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_OBJ_CT_TIMEOUT_L4PROTO] = { .maxlen = sizeof(uint8_t) }, ++}; ++ + struct obj_ops obj_ops_ct_timeout = { + .name = "ct_timeout", + .type = NFT_OBJECT_CT_TIMEOUT, + .alloc_len = sizeof(struct nftnl_obj_ct_timeout), + .nftnl_max_attr = __NFTNL_OBJ_CT_TIMEOUT_MAX - 1, ++ .attr_policy = obj_ct_timeout_attr_policy, + .set = nftnl_obj_ct_timeout_set, + .get = nftnl_obj_ct_timeout_get, + .parse = nftnl_obj_ct_timeout_parse, +diff --git a/src/obj/limit.c b/src/obj/limit.c +index 83cb193..0c7362e 100644 +--- a/src/obj/limit.c ++++ b/src/obj/limit.c +@@ -157,11 +157,20 @@ static int nftnl_obj_limit_snprintf(char *buf, size_t len, + limit->burst, limit->type, limit->flags); + } + ++static struct attr_policy obj_limit_attr_policy[__NFTNL_OBJ_LIMIT_MAX] = { ++ [NFTNL_OBJ_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_OBJ_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_OBJ_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct obj_ops obj_ops_limit = { + .name = "limit", + .type = NFT_OBJECT_LIMIT, + .alloc_len = sizeof(struct nftnl_obj_limit), + .nftnl_max_attr = __NFTNL_OBJ_LIMIT_MAX - 1, ++ .attr_policy = obj_limit_attr_policy, + .set = nftnl_obj_limit_set, + .get = nftnl_obj_limit_get, + .parse = nftnl_obj_limit_parse, +diff --git a/src/obj/quota.c b/src/obj/quota.c +index 665d7ca..b48ba91 100644 +--- a/src/obj/quota.c ++++ b/src/obj/quota.c +@@ -133,11 +133,18 @@ static int nftnl_obj_quota_snprintf(char *buf, size_t len, + quota->bytes, quota->flags); + } + ++static struct attr_policy obj_quota_attr_policy[__NFTNL_OBJ_QUOTA_MAX] = { ++ [NFTNL_OBJ_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_OBJ_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) }, ++ [NFTNL_OBJ_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct obj_ops obj_ops_quota = { + .name = "quota", + .type = NFT_OBJECT_QUOTA, + .alloc_len = sizeof(struct nftnl_obj_quota), + .nftnl_max_attr = __NFTNL_OBJ_QUOTA_MAX - 1, ++ .attr_policy = obj_quota_attr_policy, + .set = nftnl_obj_quota_set, + .get = nftnl_obj_quota_get, + .parse = nftnl_obj_quota_parse, +diff --git a/src/obj/secmark.c b/src/obj/secmark.c +index 83cd1dc..eea9664 100644 +--- a/src/obj/secmark.c ++++ b/src/obj/secmark.c +@@ -105,11 +105,16 @@ static int nftnl_obj_secmark_snprintf(char *buf, size_t len, + return snprintf(buf, len, "context %s ", secmark->ctx); + } + ++static struct attr_policy obj_secmark_attr_policy[__NFTNL_OBJ_SECMARK_MAX] = { ++ [NFTNL_OBJ_SECMARK_CTX] = { .maxlen = NFT_SECMARK_CTX_MAXLEN }, ++}; ++ + struct obj_ops obj_ops_secmark = { + .name = "secmark", + .type = NFT_OBJECT_SECMARK, + .alloc_len = sizeof(struct nftnl_obj_secmark), + .nftnl_max_attr = __NFTNL_OBJ_SECMARK_MAX - 1, ++ .attr_policy = obj_secmark_attr_policy, + .set = nftnl_obj_secmark_set, + .get = nftnl_obj_secmark_get, + .parse = nftnl_obj_secmark_parse, +diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c +index f7c7762..65fbcf7 100644 +--- a/src/obj/synproxy.c ++++ b/src/obj/synproxy.c +@@ -132,11 +132,18 @@ static int nftnl_obj_synproxy_snprintf(char *buf, size_t len, + return offset; + } + ++static struct attr_policy obj_synproxy_attr_policy[__NFTNL_OBJ_SYNPROXY_MAX] = { ++ [NFTNL_OBJ_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_OBJ_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_OBJ_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++}; ++ + struct obj_ops obj_ops_synproxy = { + .name = "synproxy", + .type = NFT_OBJECT_SYNPROXY, + .alloc_len = sizeof(struct nftnl_obj_synproxy), + .nftnl_max_attr = __NFTNL_OBJ_SYNPROXY_MAX - 1, ++ .attr_policy = obj_synproxy_attr_policy, + .set = nftnl_obj_synproxy_set, + .get = nftnl_obj_synproxy_get, + .parse = nftnl_obj_synproxy_parse, +diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c +index 72985ee..07b3b2a 100644 +--- a/src/obj/tunnel.c ++++ b/src/obj/tunnel.c +@@ -536,11 +536,31 @@ static int nftnl_obj_tunnel_snprintf(char *buf, size_t len, + return snprintf(buf, len, "id %u ", tun->id); + } + ++static struct attr_policy obj_tunnel_attr_policy[__NFTNL_OBJ_TUNNEL_MAX] = { ++ [NFTNL_OBJ_TUNNEL_ID] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_TUNNEL_IPV4_SRC] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_TUNNEL_IPV4_DST] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_TUNNEL_IPV6_SRC] = { .maxlen = sizeof(struct in6_addr) }, ++ [NFTNL_OBJ_TUNNEL_IPV6_DST] = { .maxlen = sizeof(struct in6_addr) }, ++ [NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_TUNNEL_SPORT] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_OBJ_TUNNEL_DPORT] = { .maxlen = sizeof(uint16_t) }, ++ [NFTNL_OBJ_TUNNEL_FLAGS] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_TUNNEL_TOS] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_OBJ_TUNNEL_TTL] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_OBJ_TUNNEL_VXLAN_GBP] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_TUNNEL_ERSPAN_VERSION] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX] = { .maxlen = sizeof(uint32_t) }, ++ [NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID] = { .maxlen = sizeof(uint8_t) }, ++ [NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR] = { .maxlen = sizeof(uint8_t) }, ++}; ++ + struct obj_ops obj_ops_tunnel = { + .name = "tunnel", + .type = NFT_OBJECT_TUNNEL, + .alloc_len = sizeof(struct nftnl_obj_tunnel), + .nftnl_max_attr = __NFTNL_OBJ_TUNNEL_MAX - 1, ++ .attr_policy = obj_tunnel_attr_policy, + .set = nftnl_obj_tunnel_set, + .get = nftnl_obj_tunnel_get, + .parse = nftnl_obj_tunnel_parse, diff --git a/SOURCES/0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch b/SOURCES/0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch new file mode 100644 index 0000000..807af48 --- /dev/null +++ b/SOURCES/0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch @@ -0,0 +1,43 @@ +From c67dacb6c402c95eb6331a36ba1fbca1a3ee2257 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:41 +0200 +Subject: [PATCH] obj: Enforce attr_policy compliance in nftnl_obj_set_data() + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit 5d94baba0f43426120ce025aacaa74406659ad7f + +commit 5d94baba0f43426120ce025aacaa74406659ad7f +Author: Phil Sutter +Date: Thu Mar 7 13:56:14 2024 +0100 + + obj: Enforce attr_policy compliance in nftnl_obj_set_data() + + Every object type defines an attr_policy array, so deny setting + attributes for object types which don't have it present or if it + specifies a non-zero maxlen which is lower than the given data_len. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/object.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/object.c b/src/object.c +index 52a184e..b653732 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -123,7 +123,12 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, + default: + if (!obj->ops || + attr < NFTNL_OBJ_BASE || +- attr > obj->ops->nftnl_max_attr) ++ attr > obj->ops->nftnl_max_attr || ++ !obj->ops->attr_policy) ++ return -1; ++ ++ if (obj->ops->attr_policy[attr].maxlen && ++ obj->ops->attr_policy[attr].maxlen < data_len) + return -1; + + if (obj->ops->set(obj, attr, data, data_len) < 0) diff --git a/SOURCES/0027-utils-Introduce-and-use-nftnl_set_str_attr.patch b/SOURCES/0027-utils-Introduce-and-use-nftnl_set_str_attr.patch new file mode 100644 index 0000000..3c3826d --- /dev/null +++ b/SOURCES/0027-utils-Introduce-and-use-nftnl_set_str_attr.patch @@ -0,0 +1,251 @@ +From 7285bf672df47b130e4ff3afd481bf4973cede5e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:41 +0200 +Subject: [PATCH] utils: Introduce and use nftnl_set_str_attr() + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit bb5e75be9d28c37096c90d9ae9fcc7ad0841f2c2 + +commit bb5e75be9d28c37096c90d9ae9fcc7ad0841f2c2 +Author: Phil Sutter +Date: Thu Mar 7 14:07:21 2024 +0100 + + utils: Introduce and use nftnl_set_str_attr() + + The function consolidates the necessary code when assigning to string + pointer attributes, namely: + + * Conditional free of the previous value + * Allocation of new value + * Checking for memory allocation errors + * Setting respective flag bit + + A new feature previously missing in all call sites is respecting + data_len in case the buffer up to that point did not contain a NUL-char. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/chain.c | 36 ++++++++---------------------------- + src/flowtable.c | 17 ++++------------- + src/object.c | 13 ++++--------- + src/rule.c | 18 ++++-------------- + src/set.c | 18 ++++-------------- + src/table.c | 9 ++------- + src/utils.c | 14 ++++++++++++++ + 7 files changed, 40 insertions(+), 85 deletions(-) + +diff --git a/src/chain.c b/src/chain.c +index e0b1eaf..c7026f4 100644 +--- a/src/chain.c ++++ b/src/chain.c +@@ -217,21 +217,11 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, + + switch(attr) { + case NFTNL_CHAIN_NAME: +- if (c->flags & (1 << NFTNL_CHAIN_NAME)) +- xfree(c->name); +- +- c->name = strdup(data); +- if (!c->name) +- return -1; +- break; ++ return nftnl_set_str_attr(&c->name, &c->flags, ++ attr, data, data_len); + case NFTNL_CHAIN_TABLE: +- if (c->flags & (1 << NFTNL_CHAIN_TABLE)) +- xfree(c->table); +- +- c->table = strdup(data); +- if (!c->table) +- return -1; +- break; ++ return nftnl_set_str_attr(&c->table, &c->flags, ++ attr, data, data_len); + case NFTNL_CHAIN_HOOKNUM: + memcpy(&c->hooknum, data, sizeof(c->hooknum)); + break; +@@ -257,21 +247,11 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, + memcpy(&c->family, data, sizeof(c->family)); + break; + case NFTNL_CHAIN_TYPE: +- if (c->flags & (1 << NFTNL_CHAIN_TYPE)) +- xfree(c->type); +- +- c->type = strdup(data); +- if (!c->type) +- return -1; +- break; ++ return nftnl_set_str_attr(&c->type, &c->flags, ++ attr, data, data_len); + case NFTNL_CHAIN_DEV: +- if (c->flags & (1 << NFTNL_CHAIN_DEV)) +- xfree(c->dev); +- +- c->dev = strdup(data); +- if (!c->dev) +- return -1; +- break; ++ return nftnl_set_str_attr(&c->dev, &c->flags, ++ attr, data, data_len); + case NFTNL_CHAIN_DEVICES: + dev_array = (const char **)data; + while (dev_array[len] != NULL) +diff --git a/src/flowtable.c b/src/flowtable.c +index 2f37cd4..41a1456 100644 +--- a/src/flowtable.c ++++ b/src/flowtable.c +@@ -119,20 +119,11 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr, + + switch(attr) { + case NFTNL_FLOWTABLE_NAME: +- if (c->flags & (1 << NFTNL_FLOWTABLE_NAME)) +- xfree(c->name); +- +- c->name = strdup(data); +- if (!c->name) +- return -1; +- break; ++ return nftnl_set_str_attr(&c->name, &c->flags, ++ attr, data, data_len); + case NFTNL_FLOWTABLE_TABLE: +- if (c->flags & (1 << NFTNL_FLOWTABLE_TABLE)) +- xfree(c->table); +- +- c->table = strdup(data); +- if (!c->table) +- return -1; ++ return nftnl_set_str_attr(&c->table, &c->flags, ++ attr, data, data_len); + break; + case NFTNL_FLOWTABLE_HOOKNUM: + memcpy(&c->hooknum, data, sizeof(c->hooknum)); +diff --git a/src/object.c b/src/object.c +index b653732..79b41eb 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -85,17 +85,12 @@ int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, + + switch (attr) { + case NFTNL_OBJ_TABLE: +- xfree(obj->table); +- obj->table = strdup(data); +- if (!obj->table) +- return -1; ++ return nftnl_set_str_attr(&obj->table, &obj->flags, ++ attr, data, data_len); + break; + case NFTNL_OBJ_NAME: +- xfree(obj->name); +- obj->name = strdup(data); +- if (!obj->name) +- return -1; +- break; ++ return nftnl_set_str_attr(&obj->name, &obj->flags, ++ attr, data, data_len); + case NFTNL_OBJ_TYPE: + obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data)); + if (!obj->ops) +diff --git a/src/rule.c b/src/rule.c +index a52012b..e16e2c1 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -115,21 +115,11 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr, + + switch(attr) { + case NFTNL_RULE_TABLE: +- if (r->flags & (1 << NFTNL_RULE_TABLE)) +- xfree(r->table); +- +- r->table = strdup(data); +- if (!r->table) +- return -1; +- break; ++ return nftnl_set_str_attr(&r->table, &r->flags, ++ attr, data, data_len); + case NFTNL_RULE_CHAIN: +- if (r->flags & (1 << NFTNL_RULE_CHAIN)) +- xfree(r->chain); +- +- r->chain = strdup(data); +- if (!r->chain) +- return -1; +- break; ++ return nftnl_set_str_attr(&r->chain, &r->flags, ++ attr, data, data_len); + case NFTNL_RULE_HANDLE: + memcpy(&r->handle, data, sizeof(r->handle)); + break; +diff --git a/src/set.c b/src/set.c +index a732bc0..07e332d 100644 +--- a/src/set.c ++++ b/src/set.c +@@ -146,21 +146,11 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, + + switch(attr) { + case NFTNL_SET_TABLE: +- if (s->flags & (1 << NFTNL_SET_TABLE)) +- xfree(s->table); +- +- s->table = strdup(data); +- if (!s->table) +- return -1; +- break; ++ return nftnl_set_str_attr(&s->table, &s->flags, ++ attr, data, data_len); + case NFTNL_SET_NAME: +- if (s->flags & (1 << NFTNL_SET_NAME)) +- xfree(s->name); +- +- s->name = strdup(data); +- if (!s->name) +- return -1; +- break; ++ return nftnl_set_str_attr(&s->name, &s->flags, ++ attr, data, data_len); + case NFTNL_SET_HANDLE: + memcpy(&s->handle, data, sizeof(s->handle)); + break; +diff --git a/src/table.c b/src/table.c +index 4f48e8c..13f01cf 100644 +--- a/src/table.c ++++ b/src/table.c +@@ -101,13 +101,8 @@ int nftnl_table_set_data(struct nftnl_table *t, uint16_t attr, + + switch (attr) { + case NFTNL_TABLE_NAME: +- if (t->flags & (1 << NFTNL_TABLE_NAME)) +- xfree(t->name); +- +- t->name = strdup(data); +- if (!t->name) +- return -1; +- break; ++ return nftnl_set_str_attr(&t->name, &t->flags, ++ attr, data, data_len); + case NFTNL_TABLE_HANDLE: + memcpy(&t->handle, data, sizeof(t->handle)); + break; +diff --git a/src/utils.c b/src/utils.c +index 3617837..a0f03da 100644 +--- a/src/utils.c ++++ b/src/utils.c +@@ -330,3 +330,17 @@ void __noreturn __abi_breakage(const char *file, int line, const char *reason) + "%s:%d reason: %s\n", file, line, reason); + exit(EXIT_FAILURE); + } ++ ++int nftnl_set_str_attr(const char **dptr, uint32_t *flags, ++ uint16_t attr, const void *data, uint32_t data_len) ++{ ++ if (*flags & (1 << attr)) ++ xfree(*dptr); ++ ++ *dptr = strndup(data, data_len); ++ if (!*dptr) ++ return -1; ++ ++ *flags |= (1 << attr); ++ return 0; ++} diff --git a/SOURCES/0028-obj-Respect-data_len-when-setting-attributes.patch b/SOURCES/0028-obj-Respect-data_len-when-setting-attributes.patch new file mode 100644 index 0000000..5b18830 --- /dev/null +++ b/SOURCES/0028-obj-Respect-data_len-when-setting-attributes.patch @@ -0,0 +1,234 @@ +From a75cd0ecf866513625346ddfcedb366af91e6f03 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:41 +0200 +Subject: [PATCH] obj: Respect data_len when setting attributes + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit c48ac8cba8716a8bc4ff713ee965eee2643cfc31 + +commit c48ac8cba8716a8bc4ff713ee965eee2643cfc31 +Author: Phil Sutter +Date: Thu Mar 7 14:34:18 2024 +0100 + + obj: Respect data_len when setting attributes + + With attr_policy in place, data_len has an upper boundary. Use it for + memcpy() calls to cover for caller passing data with lower size than the + attribute's storage. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/obj/counter.c | 4 ++-- + src/obj/ct_expect.c | 10 +++++----- + src/obj/ct_helper.c | 4 ++-- + src/obj/ct_timeout.c | 4 ++-- + src/obj/limit.c | 10 +++++----- + src/obj/quota.c | 6 +++--- + src/obj/tunnel.c | 32 ++++++++++++++++---------------- + 7 files changed, 35 insertions(+), 35 deletions(-) + +diff --git a/src/obj/counter.c b/src/obj/counter.c +index 44524d7..19e09ed 100644 +--- a/src/obj/counter.c ++++ b/src/obj/counter.c +@@ -29,10 +29,10 @@ nftnl_obj_counter_set(struct nftnl_obj *e, uint16_t type, + + switch(type) { + case NFTNL_OBJ_CTR_BYTES: +- memcpy(&ctr->bytes, data, sizeof(ctr->bytes)); ++ memcpy(&ctr->bytes, data, data_len); + break; + case NFTNL_OBJ_CTR_PKTS: +- memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); ++ memcpy(&ctr->pkts, data, data_len); + break; + } + return 0; +diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c +index 978af15..b4d6faa 100644 +--- a/src/obj/ct_expect.c ++++ b/src/obj/ct_expect.c +@@ -21,19 +21,19 @@ static int nftnl_obj_ct_expect_set(struct nftnl_obj *e, uint16_t type, + + switch (type) { + case NFTNL_OBJ_CT_EXPECT_L3PROTO: +- memcpy(&exp->l3proto, data, sizeof(exp->l3proto)); ++ memcpy(&exp->l3proto, data, data_len); + break; + case NFTNL_OBJ_CT_EXPECT_L4PROTO: +- memcpy(&exp->l4proto, data, sizeof(exp->l4proto)); ++ memcpy(&exp->l4proto, data, data_len); + break; + case NFTNL_OBJ_CT_EXPECT_DPORT: +- memcpy(&exp->dport, data, sizeof(exp->dport)); ++ memcpy(&exp->dport, data, data_len); + break; + case NFTNL_OBJ_CT_EXPECT_TIMEOUT: +- memcpy(&exp->timeout, data, sizeof(exp->timeout)); ++ memcpy(&exp->timeout, data, data_len); + break; + case NFTNL_OBJ_CT_EXPECT_SIZE: +- memcpy(&exp->size, data, sizeof(exp->size)); ++ memcpy(&exp->size, data, data_len); + break; + } + return 0; +diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c +index aa8e926..1feccf2 100644 +--- a/src/obj/ct_helper.c ++++ b/src/obj/ct_helper.c +@@ -32,10 +32,10 @@ static int nftnl_obj_ct_helper_set(struct nftnl_obj *e, uint16_t type, + snprintf(helper->name, sizeof(helper->name), "%s", (const char *)data); + break; + case NFTNL_OBJ_CT_HELPER_L3PROTO: +- memcpy(&helper->l3proto, data, sizeof(helper->l3proto)); ++ memcpy(&helper->l3proto, data, data_len); + break; + case NFTNL_OBJ_CT_HELPER_L4PROTO: +- memcpy(&helper->l4proto, data, sizeof(helper->l4proto)); ++ memcpy(&helper->l4proto, data, data_len); + break; + } + return 0; +diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c +index 88522d8..b9b688e 100644 +--- a/src/obj/ct_timeout.c ++++ b/src/obj/ct_timeout.c +@@ -150,10 +150,10 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type, + + switch (type) { + case NFTNL_OBJ_CT_TIMEOUT_L3PROTO: +- memcpy(&timeout->l3proto, data, sizeof(timeout->l3proto)); ++ memcpy(&timeout->l3proto, data, data_len); + break; + case NFTNL_OBJ_CT_TIMEOUT_L4PROTO: +- memcpy(&timeout->l4proto, data, sizeof(timeout->l4proto)); ++ memcpy(&timeout->l4proto, data, data_len); + break; + case NFTNL_OBJ_CT_TIMEOUT_ARRAY: + if (data_len < sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX) +diff --git a/src/obj/limit.c b/src/obj/limit.c +index 0c7362e..cbf30b4 100644 +--- a/src/obj/limit.c ++++ b/src/obj/limit.c +@@ -28,19 +28,19 @@ static int nftnl_obj_limit_set(struct nftnl_obj *e, uint16_t type, + + switch (type) { + case NFTNL_OBJ_LIMIT_RATE: +- memcpy(&limit->rate, data, sizeof(limit->rate)); ++ memcpy(&limit->rate, data, data_len); + break; + case NFTNL_OBJ_LIMIT_UNIT: +- memcpy(&limit->unit, data, sizeof(limit->unit)); ++ memcpy(&limit->unit, data, data_len); + break; + case NFTNL_OBJ_LIMIT_BURST: +- memcpy(&limit->burst, data, sizeof(limit->burst)); ++ memcpy(&limit->burst, data, data_len); + break; + case NFTNL_OBJ_LIMIT_TYPE: +- memcpy(&limit->type, data, sizeof(limit->type)); ++ memcpy(&limit->type, data, data_len); + break; + case NFTNL_OBJ_LIMIT_FLAGS: +- memcpy(&limit->flags, data, sizeof(limit->flags)); ++ memcpy(&limit->flags, data, data_len); + break; + } + return 0; +diff --git a/src/obj/quota.c b/src/obj/quota.c +index b48ba91..526db8e 100644 +--- a/src/obj/quota.c ++++ b/src/obj/quota.c +@@ -28,13 +28,13 @@ static int nftnl_obj_quota_set(struct nftnl_obj *e, uint16_t type, + + switch (type) { + case NFTNL_OBJ_QUOTA_BYTES: +- memcpy("a->bytes, data, sizeof(quota->bytes)); ++ memcpy("a->bytes, data, data_len); + break; + case NFTNL_OBJ_QUOTA_CONSUMED: +- memcpy("a->consumed, data, sizeof(quota->consumed)); ++ memcpy("a->consumed, data, data_len); + break; + case NFTNL_OBJ_QUOTA_FLAGS: +- memcpy("a->flags, data, sizeof(quota->flags)); ++ memcpy("a->flags, data, data_len); + break; + } + return 0; +diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c +index 07b3b2a..0309410 100644 +--- a/src/obj/tunnel.c ++++ b/src/obj/tunnel.c +@@ -29,52 +29,52 @@ nftnl_obj_tunnel_set(struct nftnl_obj *e, uint16_t type, + + switch (type) { + case NFTNL_OBJ_TUNNEL_ID: +- memcpy(&tun->id, data, sizeof(tun->id)); ++ memcpy(&tun->id, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_IPV4_SRC: +- memcpy(&tun->src_v4, data, sizeof(tun->src_v4)); ++ memcpy(&tun->src_v4, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_IPV4_DST: +- memcpy(&tun->dst_v4, data, sizeof(tun->dst_v4)); ++ memcpy(&tun->dst_v4, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_IPV6_SRC: +- memcpy(&tun->src_v6, data, sizeof(struct in6_addr)); ++ memcpy(&tun->src_v6, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_IPV6_DST: +- memcpy(&tun->dst_v6, data, sizeof(struct in6_addr)); ++ memcpy(&tun->dst_v6, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL: +- memcpy(&tun->flowlabel, data, sizeof(tun->flowlabel)); ++ memcpy(&tun->flowlabel, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_SPORT: +- memcpy(&tun->sport, data, sizeof(tun->sport)); ++ memcpy(&tun->sport, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_DPORT: +- memcpy(&tun->dport, data, sizeof(tun->dport)); ++ memcpy(&tun->dport, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_FLAGS: +- memcpy(&tun->tun_flags, data, sizeof(tun->tun_flags)); ++ memcpy(&tun->tun_flags, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_TOS: +- memcpy(&tun->tun_tos, data, sizeof(tun->tun_tos)); ++ memcpy(&tun->tun_tos, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_TTL: +- memcpy(&tun->tun_ttl, data, sizeof(tun->tun_ttl)); ++ memcpy(&tun->tun_ttl, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_VXLAN_GBP: +- memcpy(&tun->u.tun_vxlan.gbp, data, sizeof(tun->u.tun_vxlan.gbp)); ++ memcpy(&tun->u.tun_vxlan.gbp, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_ERSPAN_VERSION: +- memcpy(&tun->u.tun_erspan.version, data, sizeof(tun->u.tun_erspan.version)); ++ memcpy(&tun->u.tun_erspan.version, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX: +- memcpy(&tun->u.tun_erspan.u.v1_index, data, sizeof(tun->u.tun_erspan.u.v1_index)); ++ memcpy(&tun->u.tun_erspan.u.v1_index, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID: +- memcpy(&tun->u.tun_erspan.u.v2.hwid, data, sizeof(tun->u.tun_erspan.u.v2.hwid)); ++ memcpy(&tun->u.tun_erspan.u.v2.hwid, data, data_len); + break; + case NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR: +- memcpy(&tun->u.tun_erspan.u.v2.dir, data, sizeof(tun->u.tun_erspan.u.v2.dir)); ++ memcpy(&tun->u.tun_erspan.u.v2.dir, data, data_len); + break; + } + return 0; diff --git a/SOURCES/0029-expr-Respect-data_len-when-setting-attributes.patch b/SOURCES/0029-expr-Respect-data_len-when-setting-attributes.patch new file mode 100644 index 0000000..dd237e9 --- /dev/null +++ b/SOURCES/0029-expr-Respect-data_len-when-setting-attributes.patch @@ -0,0 +1,968 @@ +From e1a4cfec3462db1a91788f74d4d083c4c4b63788 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:39:41 +0200 +Subject: [PATCH] expr: Respect data_len when setting attributes + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit be0bae0ad31b0adb506f96de083f52a2bd0d4fbf + +commit be0bae0ad31b0adb506f96de083f52a2bd0d4fbf +Author: Phil Sutter +Date: Thu Mar 7 14:49:08 2024 +0100 + + expr: Respect data_len when setting attributes + + With attr_policy in place, data_len has an upper boundary but it may be + lower than the attribute's storage area in which case memcpy() would + read garbage. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/expr/bitwise.c | 8 ++++---- + src/expr/byteorder.c | 10 +++++----- + src/expr/cmp.c | 4 ++-- + src/expr/connlimit.c | 4 ++-- + src/expr/counter.c | 4 ++-- + src/expr/ct.c | 8 ++++---- + src/expr/dup.c | 4 ++-- + src/expr/dynset.c | 12 ++++++------ + src/expr/exthdr.c | 14 +++++++------- + src/expr/fib.c | 6 +++--- + src/expr/fwd.c | 6 +++--- + src/expr/hash.c | 14 +++++++------- + src/expr/immediate.c | 6 +++--- + src/expr/inner.c | 6 +++--- + src/expr/last.c | 4 ++-- + src/expr/limit.c | 10 +++++----- + src/expr/log.c | 10 +++++----- + src/expr/lookup.c | 8 ++++---- + src/expr/masq.c | 6 +++--- + src/expr/match.c | 2 +- + src/expr/meta.c | 6 +++--- + src/expr/nat.c | 14 +++++++------- + src/expr/numgen.c | 8 ++++---- + src/expr/objref.c | 6 +++--- + src/expr/osf.c | 6 +++--- + src/expr/payload.c | 16 ++++++++-------- + src/expr/queue.c | 8 ++++---- + src/expr/quota.c | 6 +++--- + src/expr/range.c | 4 ++-- + src/expr/redir.c | 6 +++--- + src/expr/reject.c | 4 ++-- + src/expr/rt.c | 4 ++-- + src/expr/socket.c | 6 +++--- + src/expr/synproxy.c | 6 +++--- + src/expr/target.c | 2 +- + src/expr/tproxy.c | 6 +++--- + src/expr/tunnel.c | 4 ++-- + src/expr/xfrm.c | 8 ++++---- + 38 files changed, 133 insertions(+), 133 deletions(-) + +diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c +index dab1690..e99131a 100644 +--- a/src/expr/bitwise.c ++++ b/src/expr/bitwise.c +@@ -39,16 +39,16 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_BITWISE_SREG: +- memcpy(&bitwise->sreg, data, sizeof(bitwise->sreg)); ++ memcpy(&bitwise->sreg, data, data_len); + break; + case NFTNL_EXPR_BITWISE_DREG: +- memcpy(&bitwise->dreg, data, sizeof(bitwise->dreg)); ++ memcpy(&bitwise->dreg, data, data_len); + break; + case NFTNL_EXPR_BITWISE_OP: +- memcpy(&bitwise->op, data, sizeof(bitwise->op)); ++ memcpy(&bitwise->op, data, data_len); + break; + case NFTNL_EXPR_BITWISE_LEN: +- memcpy(&bitwise->len, data, sizeof(bitwise->len)); ++ memcpy(&bitwise->len, data, data_len); + break; + case NFTNL_EXPR_BITWISE_MASK: + return nftnl_data_cpy(&bitwise->mask, data, data_len); +diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c +index d4e85a8..383e80d 100644 +--- a/src/expr/byteorder.c ++++ b/src/expr/byteorder.c +@@ -37,19 +37,19 @@ nftnl_expr_byteorder_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_BYTEORDER_SREG: +- memcpy(&byteorder->sreg, data, sizeof(byteorder->sreg)); ++ memcpy(&byteorder->sreg, data, data_len); + break; + case NFTNL_EXPR_BYTEORDER_DREG: +- memcpy(&byteorder->dreg, data, sizeof(byteorder->dreg)); ++ memcpy(&byteorder->dreg, data, data_len); + break; + case NFTNL_EXPR_BYTEORDER_OP: +- memcpy(&byteorder->op, data, sizeof(byteorder->op)); ++ memcpy(&byteorder->op, data, data_len); + break; + case NFTNL_EXPR_BYTEORDER_LEN: +- memcpy(&byteorder->len, data, sizeof(byteorder->len)); ++ memcpy(&byteorder->len, data, data_len); + break; + case NFTNL_EXPR_BYTEORDER_SIZE: +- memcpy(&byteorder->size, data, sizeof(byteorder->size)); ++ memcpy(&byteorder->size, data, data_len); + break; + } + return 0; +diff --git a/src/expr/cmp.c b/src/expr/cmp.c +index 2937d7e..d1f0f64 100644 +--- a/src/expr/cmp.c ++++ b/src/expr/cmp.c +@@ -36,10 +36,10 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_CMP_SREG: +- memcpy(&cmp->sreg, data, sizeof(cmp->sreg)); ++ memcpy(&cmp->sreg, data, data_len); + break; + case NFTNL_EXPR_CMP_OP: +- memcpy(&cmp->op, data, sizeof(cmp->op)); ++ memcpy(&cmp->op, data, data_len); + break; + case NFTNL_EXPR_CMP_DATA: + return nftnl_data_cpy(&cmp->data, data, data_len); +diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c +index 1c78c71..fcac8bf 100644 +--- a/src/expr/connlimit.c ++++ b/src/expr/connlimit.c +@@ -33,10 +33,10 @@ nftnl_expr_connlimit_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_CONNLIMIT_COUNT: +- memcpy(&connlimit->count, data, sizeof(connlimit->count)); ++ memcpy(&connlimit->count, data, data_len); + break; + case NFTNL_EXPR_CONNLIMIT_FLAGS: +- memcpy(&connlimit->flags, data, sizeof(connlimit->flags)); ++ memcpy(&connlimit->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/counter.c b/src/expr/counter.c +index 2c6f2a7..cef9119 100644 +--- a/src/expr/counter.c ++++ b/src/expr/counter.c +@@ -35,10 +35,10 @@ nftnl_expr_counter_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_CTR_BYTES: +- memcpy(&ctr->bytes, data, sizeof(ctr->bytes)); ++ memcpy(&ctr->bytes, data, data_len); + break; + case NFTNL_EXPR_CTR_PACKETS: +- memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); ++ memcpy(&ctr->pkts, data, data_len); + break; + } + return 0; +diff --git a/src/expr/ct.c b/src/expr/ct.c +index f7dd40d..bea0522 100644 +--- a/src/expr/ct.c ++++ b/src/expr/ct.c +@@ -39,16 +39,16 @@ nftnl_expr_ct_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_CT_KEY: +- memcpy(&ct->key, data, sizeof(ct->key)); ++ memcpy(&ct->key, data, data_len); + break; + case NFTNL_EXPR_CT_DIR: +- memcpy(&ct->dir, data, sizeof(ct->dir)); ++ memcpy(&ct->dir, data, data_len); + break; + case NFTNL_EXPR_CT_DREG: +- memcpy(&ct->dreg, data, sizeof(ct->dreg)); ++ memcpy(&ct->dreg, data, data_len); + break; + case NFTNL_EXPR_CT_SREG: +- memcpy(&ct->sreg, data, sizeof(ct->sreg)); ++ memcpy(&ct->sreg, data, data_len); + break; + } + return 0; +diff --git a/src/expr/dup.c b/src/expr/dup.c +index 6a5e4ca..28d686b 100644 +--- a/src/expr/dup.c ++++ b/src/expr/dup.c +@@ -32,10 +32,10 @@ static int nftnl_expr_dup_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_DUP_SREG_ADDR: +- memcpy(&dup->sreg_addr, data, sizeof(dup->sreg_addr)); ++ memcpy(&dup->sreg_addr, data, data_len); + break; + case NFTNL_EXPR_DUP_SREG_DEV: +- memcpy(&dup->sreg_dev, data, sizeof(dup->sreg_dev)); ++ memcpy(&dup->sreg_dev, data, data_len); + break; + } + return 0; +diff --git a/src/expr/dynset.c b/src/expr/dynset.c +index c1f79b5..8a159f8 100644 +--- a/src/expr/dynset.c ++++ b/src/expr/dynset.c +@@ -41,16 +41,16 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_DYNSET_SREG_KEY: +- memcpy(&dynset->sreg_key, data, sizeof(dynset->sreg_key)); ++ memcpy(&dynset->sreg_key, data, data_len); + break; + case NFTNL_EXPR_DYNSET_SREG_DATA: +- memcpy(&dynset->sreg_data, data, sizeof(dynset->sreg_data)); ++ memcpy(&dynset->sreg_data, data, data_len); + break; + case NFTNL_EXPR_DYNSET_OP: +- memcpy(&dynset->op, data, sizeof(dynset->op)); ++ memcpy(&dynset->op, data, data_len); + break; + case NFTNL_EXPR_DYNSET_TIMEOUT: +- memcpy(&dynset->timeout, data, sizeof(dynset->timeout)); ++ memcpy(&dynset->timeout, data, data_len); + break; + case NFTNL_EXPR_DYNSET_SET_NAME: + dynset->set_name = strdup((const char *)data); +@@ -58,7 +58,7 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, + return -1; + break; + case NFTNL_EXPR_DYNSET_SET_ID: +- memcpy(&dynset->set_id, data, sizeof(dynset->set_id)); ++ memcpy(&dynset->set_id, data, data_len); + break; + case NFTNL_EXPR_DYNSET_EXPR: + list_for_each_entry_safe(expr, next, &dynset->expr_list, head) +@@ -68,7 +68,7 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, + list_add(&expr->head, &dynset->expr_list); + break; + case NFTNL_EXPR_DYNSET_FLAGS: +- memcpy(&dynset->dynset_flags, data, sizeof(dynset->dynset_flags)); ++ memcpy(&dynset->dynset_flags, data, data_len); + break; + default: + return -1; +diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c +index 93b7521..453902c 100644 +--- a/src/expr/exthdr.c ++++ b/src/expr/exthdr.c +@@ -46,25 +46,25 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_EXTHDR_DREG: +- memcpy(&exthdr->dreg, data, sizeof(exthdr->dreg)); ++ memcpy(&exthdr->dreg, data, data_len); + break; + case NFTNL_EXPR_EXTHDR_TYPE: +- memcpy(&exthdr->type, data, sizeof(exthdr->type)); ++ memcpy(&exthdr->type, data, data_len); + break; + case NFTNL_EXPR_EXTHDR_OFFSET: +- memcpy(&exthdr->offset, data, sizeof(exthdr->offset)); ++ memcpy(&exthdr->offset, data, data_len); + break; + case NFTNL_EXPR_EXTHDR_LEN: +- memcpy(&exthdr->len, data, sizeof(exthdr->len)); ++ memcpy(&exthdr->len, data, data_len); + break; + case NFTNL_EXPR_EXTHDR_OP: +- memcpy(&exthdr->op, data, sizeof(exthdr->op)); ++ memcpy(&exthdr->op, data, data_len); + break; + case NFTNL_EXPR_EXTHDR_FLAGS: +- memcpy(&exthdr->flags, data, sizeof(exthdr->flags)); ++ memcpy(&exthdr->flags, data, data_len); + break; + case NFTNL_EXPR_EXTHDR_SREG: +- memcpy(&exthdr->sreg, data, sizeof(exthdr->sreg)); ++ memcpy(&exthdr->sreg, data, data_len); + break; + } + return 0; +diff --git a/src/expr/fib.c b/src/expr/fib.c +index 5f7bef4..20bc125 100644 +--- a/src/expr/fib.c ++++ b/src/expr/fib.c +@@ -35,13 +35,13 @@ nftnl_expr_fib_set(struct nftnl_expr *e, uint16_t result, + + switch (result) { + case NFTNL_EXPR_FIB_RESULT: +- memcpy(&fib->result, data, sizeof(fib->result)); ++ memcpy(&fib->result, data, data_len); + break; + case NFTNL_EXPR_FIB_DREG: +- memcpy(&fib->dreg, data, sizeof(fib->dreg)); ++ memcpy(&fib->dreg, data, data_len); + break; + case NFTNL_EXPR_FIB_FLAGS: +- memcpy(&fib->flags, data, sizeof(fib->flags)); ++ memcpy(&fib->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/fwd.c b/src/expr/fwd.c +index 566d6f4..04cb089 100644 +--- a/src/expr/fwd.c ++++ b/src/expr/fwd.c +@@ -33,13 +33,13 @@ static int nftnl_expr_fwd_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_FWD_SREG_DEV: +- memcpy(&fwd->sreg_dev, data, sizeof(fwd->sreg_dev)); ++ memcpy(&fwd->sreg_dev, data, data_len); + break; + case NFTNL_EXPR_FWD_SREG_ADDR: +- memcpy(&fwd->sreg_addr, data, sizeof(fwd->sreg_addr)); ++ memcpy(&fwd->sreg_addr, data, data_len); + break; + case NFTNL_EXPR_FWD_NFPROTO: +- memcpy(&fwd->nfproto, data, sizeof(fwd->nfproto)); ++ memcpy(&fwd->nfproto, data, data_len); + break; + } + return 0; +diff --git a/src/expr/hash.c b/src/expr/hash.c +index 4cd9006..eb44b2e 100644 +--- a/src/expr/hash.c ++++ b/src/expr/hash.c +@@ -37,25 +37,25 @@ nftnl_expr_hash_set(struct nftnl_expr *e, uint16_t type, + struct nftnl_expr_hash *hash = nftnl_expr_data(e); + switch (type) { + case NFTNL_EXPR_HASH_SREG: +- memcpy(&hash->sreg, data, sizeof(hash->sreg)); ++ memcpy(&hash->sreg, data, data_len); + break; + case NFTNL_EXPR_HASH_DREG: +- memcpy(&hash->dreg, data, sizeof(hash->dreg)); ++ memcpy(&hash->dreg, data, data_len); + break; + case NFTNL_EXPR_HASH_LEN: +- memcpy(&hash->len, data, sizeof(hash->len)); ++ memcpy(&hash->len, data, data_len); + break; + case NFTNL_EXPR_HASH_MODULUS: +- memcpy(&hash->modulus, data, sizeof(hash->modulus)); ++ memcpy(&hash->modulus, data, data_len); + break; + case NFTNL_EXPR_HASH_SEED: +- memcpy(&hash->seed, data, sizeof(hash->seed)); ++ memcpy(&hash->seed, data, data_len); + break; + case NFTNL_EXPR_HASH_OFFSET: +- memcpy(&hash->offset, data, sizeof(hash->offset)); ++ memcpy(&hash->offset, data, data_len); + break; + case NFTNL_EXPR_HASH_TYPE: +- memcpy(&hash->type, data, sizeof(hash->type)); ++ memcpy(&hash->type, data, data_len); + break; + default: + return -1; +diff --git a/src/expr/immediate.c b/src/expr/immediate.c +index 8645ab3..b2400e7 100644 +--- a/src/expr/immediate.c ++++ b/src/expr/immediate.c +@@ -33,12 +33,12 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_IMM_DREG: +- memcpy(&imm->dreg, data, sizeof(imm->dreg)); ++ memcpy(&imm->dreg, data, data_len); + break; + case NFTNL_EXPR_IMM_DATA: + return nftnl_data_cpy(&imm->data, data, data_len); + case NFTNL_EXPR_IMM_VERDICT: +- memcpy(&imm->data.verdict, data, sizeof(imm->data.verdict)); ++ memcpy(&imm->data.verdict, data, data_len); + break; + case NFTNL_EXPR_IMM_CHAIN: + if (e->flags & (1 << NFTNL_EXPR_IMM_CHAIN)) +@@ -49,7 +49,7 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, + return -1; + break; + case NFTNL_EXPR_IMM_CHAIN_ID: +- memcpy(&imm->data.chain_id, data, sizeof(uint32_t)); ++ memcpy(&imm->data.chain_id, data, data_len); + break; + } + return 0; +diff --git a/src/expr/inner.c b/src/expr/inner.c +index 45ef4fb..4f66e94 100644 +--- a/src/expr/inner.c ++++ b/src/expr/inner.c +@@ -45,13 +45,13 @@ nftnl_expr_inner_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_INNER_TYPE: +- memcpy(&inner->type, data, sizeof(inner->type)); ++ memcpy(&inner->type, data, data_len); + break; + case NFTNL_EXPR_INNER_FLAGS: +- memcpy(&inner->flags, data, sizeof(inner->flags)); ++ memcpy(&inner->flags, data, data_len); + break; + case NFTNL_EXPR_INNER_HDRSIZE: +- memcpy(&inner->hdrsize, data, sizeof(inner->hdrsize)); ++ memcpy(&inner->hdrsize, data, data_len); + break; + case NFTNL_EXPR_INNER_EXPR: + if (inner->expr) +diff --git a/src/expr/last.c b/src/expr/last.c +index 074f463..8e5b88e 100644 +--- a/src/expr/last.c ++++ b/src/expr/last.c +@@ -32,10 +32,10 @@ static int nftnl_expr_last_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_LAST_MSECS: +- memcpy(&last->msecs, data, sizeof(last->msecs)); ++ memcpy(&last->msecs, data, data_len); + break; + case NFTNL_EXPR_LAST_SET: +- memcpy(&last->set, data, sizeof(last->set)); ++ memcpy(&last->set, data, data_len); + break; + } + return 0; +diff --git a/src/expr/limit.c b/src/expr/limit.c +index 935d449..9d02592 100644 +--- a/src/expr/limit.c ++++ b/src/expr/limit.c +@@ -38,19 +38,19 @@ nftnl_expr_limit_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_LIMIT_RATE: +- memcpy(&limit->rate, data, sizeof(limit->rate)); ++ memcpy(&limit->rate, data, data_len); + break; + case NFTNL_EXPR_LIMIT_UNIT: +- memcpy(&limit->unit, data, sizeof(limit->unit)); ++ memcpy(&limit->unit, data, data_len); + break; + case NFTNL_EXPR_LIMIT_BURST: +- memcpy(&limit->burst, data, sizeof(limit->burst)); ++ memcpy(&limit->burst, data, data_len); + break; + case NFTNL_EXPR_LIMIT_TYPE: +- memcpy(&limit->type, data, sizeof(limit->type)); ++ memcpy(&limit->type, data, data_len); + break; + case NFTNL_EXPR_LIMIT_FLAGS: +- memcpy(&limit->flags, data, sizeof(limit->flags)); ++ memcpy(&limit->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/log.c b/src/expr/log.c +index d6d6910..18ec2b6 100644 +--- a/src/expr/log.c ++++ b/src/expr/log.c +@@ -46,19 +46,19 @@ static int nftnl_expr_log_set(struct nftnl_expr *e, uint16_t type, + return -1; + break; + case NFTNL_EXPR_LOG_GROUP: +- memcpy(&log->group, data, sizeof(log->group)); ++ memcpy(&log->group, data, data_len); + break; + case NFTNL_EXPR_LOG_SNAPLEN: +- memcpy(&log->snaplen, data, sizeof(log->snaplen)); ++ memcpy(&log->snaplen, data, data_len); + break; + case NFTNL_EXPR_LOG_QTHRESHOLD: +- memcpy(&log->qthreshold, data, sizeof(log->qthreshold)); ++ memcpy(&log->qthreshold, data, data_len); + break; + case NFTNL_EXPR_LOG_LEVEL: +- memcpy(&log->level, data, sizeof(log->level)); ++ memcpy(&log->level, data, data_len); + break; + case NFTNL_EXPR_LOG_FLAGS: +- memcpy(&log->flags, data, sizeof(log->flags)); ++ memcpy(&log->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/lookup.c b/src/expr/lookup.c +index be04528..21a7fce 100644 +--- a/src/expr/lookup.c ++++ b/src/expr/lookup.c +@@ -37,10 +37,10 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_LOOKUP_SREG: +- memcpy(&lookup->sreg, data, sizeof(lookup->sreg)); ++ memcpy(&lookup->sreg, data, data_len); + break; + case NFTNL_EXPR_LOOKUP_DREG: +- memcpy(&lookup->dreg, data, sizeof(lookup->dreg)); ++ memcpy(&lookup->dreg, data, data_len); + break; + case NFTNL_EXPR_LOOKUP_SET: + lookup->set_name = strdup((const char *)data); +@@ -48,10 +48,10 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, + return -1; + break; + case NFTNL_EXPR_LOOKUP_SET_ID: +- memcpy(&lookup->set_id, data, sizeof(lookup->set_id)); ++ memcpy(&lookup->set_id, data, data_len); + break; + case NFTNL_EXPR_LOOKUP_FLAGS: +- memcpy(&lookup->flags, data, sizeof(lookup->flags)); ++ memcpy(&lookup->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/masq.c b/src/expr/masq.c +index 4be5a9c..e0565db 100644 +--- a/src/expr/masq.c ++++ b/src/expr/masq.c +@@ -34,13 +34,13 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_MASQ_FLAGS: +- memcpy(&masq->flags, data, sizeof(masq->flags)); ++ memcpy(&masq->flags, data, data_len); + break; + case NFTNL_EXPR_MASQ_REG_PROTO_MIN: +- memcpy(&masq->sreg_proto_min, data, sizeof(masq->sreg_proto_min)); ++ memcpy(&masq->sreg_proto_min, data, data_len); + break; + case NFTNL_EXPR_MASQ_REG_PROTO_MAX: +- memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max)); ++ memcpy(&masq->sreg_proto_max, data, data_len); + break; + } + return 0; +diff --git a/src/expr/match.c b/src/expr/match.c +index 68288dc..8c1bc74 100644 +--- a/src/expr/match.c ++++ b/src/expr/match.c +@@ -46,7 +46,7 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type, + (const char *)data); + break; + case NFTNL_EXPR_MT_REV: +- memcpy(&mt->rev, data, sizeof(mt->rev)); ++ memcpy(&mt->rev, data, data_len); + break; + case NFTNL_EXPR_MT_INFO: + if (e->flags & (1 << NFTNL_EXPR_MT_INFO)) +diff --git a/src/expr/meta.c b/src/expr/meta.c +index cd49c34..136a450 100644 +--- a/src/expr/meta.c ++++ b/src/expr/meta.c +@@ -39,13 +39,13 @@ nftnl_expr_meta_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_META_KEY: +- memcpy(&meta->key, data, sizeof(meta->key)); ++ memcpy(&meta->key, data, data_len); + break; + case NFTNL_EXPR_META_DREG: +- memcpy(&meta->dreg, data, sizeof(meta->dreg)); ++ memcpy(&meta->dreg, data, data_len); + break; + case NFTNL_EXPR_META_SREG: +- memcpy(&meta->sreg, data, sizeof(meta->sreg)); ++ memcpy(&meta->sreg, data, data_len); + break; + } + return 0; +diff --git a/src/expr/nat.c b/src/expr/nat.c +index f3f8644..1235ba4 100644 +--- a/src/expr/nat.c ++++ b/src/expr/nat.c +@@ -42,25 +42,25 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_NAT_TYPE: +- memcpy(&nat->type, data, sizeof(nat->type)); ++ memcpy(&nat->type, data, data_len); + break; + case NFTNL_EXPR_NAT_FAMILY: +- memcpy(&nat->family, data, sizeof(nat->family)); ++ memcpy(&nat->family, data, data_len); + break; + case NFTNL_EXPR_NAT_REG_ADDR_MIN: +- memcpy(&nat->sreg_addr_min, data, sizeof(nat->sreg_addr_min)); ++ memcpy(&nat->sreg_addr_min, data, data_len); + break; + case NFTNL_EXPR_NAT_REG_ADDR_MAX: +- memcpy(&nat->sreg_addr_max, data, sizeof(nat->sreg_addr_max)); ++ memcpy(&nat->sreg_addr_max, data, data_len); + break; + case NFTNL_EXPR_NAT_REG_PROTO_MIN: +- memcpy(&nat->sreg_proto_min, data, sizeof(nat->sreg_proto_min)); ++ memcpy(&nat->sreg_proto_min, data, data_len); + break; + case NFTNL_EXPR_NAT_REG_PROTO_MAX: +- memcpy(&nat->sreg_proto_max, data, sizeof(nat->sreg_proto_max)); ++ memcpy(&nat->sreg_proto_max, data, data_len); + break; + case NFTNL_EXPR_NAT_FLAGS: +- memcpy(&nat->flags, data, sizeof(nat->flags)); ++ memcpy(&nat->flags, data, data_len); + break; + } + +diff --git a/src/expr/numgen.c b/src/expr/numgen.c +index c5e8772..c015b88 100644 +--- a/src/expr/numgen.c ++++ b/src/expr/numgen.c +@@ -35,16 +35,16 @@ nftnl_expr_ng_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_NG_DREG: +- memcpy(&ng->dreg, data, sizeof(ng->dreg)); ++ memcpy(&ng->dreg, data, data_len); + break; + case NFTNL_EXPR_NG_MODULUS: +- memcpy(&ng->modulus, data, sizeof(ng->modulus)); ++ memcpy(&ng->modulus, data, data_len); + break; + case NFTNL_EXPR_NG_TYPE: +- memcpy(&ng->type, data, sizeof(ng->type)); ++ memcpy(&ng->type, data, data_len); + break; + case NFTNL_EXPR_NG_OFFSET: +- memcpy(&ng->offset, data, sizeof(ng->offset)); ++ memcpy(&ng->offset, data, data_len); + break; + default: + return -1; +diff --git a/src/expr/objref.c b/src/expr/objref.c +index 59e1ddd..0053805 100644 +--- a/src/expr/objref.c ++++ b/src/expr/objref.c +@@ -39,7 +39,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_OBJREF_IMM_TYPE: +- memcpy(&objref->imm.type, data, sizeof(objref->imm.type)); ++ memcpy(&objref->imm.type, data, data_len); + break; + case NFTNL_EXPR_OBJREF_IMM_NAME: + objref->imm.name = strdup(data); +@@ -47,7 +47,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, + return -1; + break; + case NFTNL_EXPR_OBJREF_SET_SREG: +- memcpy(&objref->set.sreg, data, sizeof(objref->set.sreg)); ++ memcpy(&objref->set.sreg, data, data_len); + break; + case NFTNL_EXPR_OBJREF_SET_NAME: + objref->set.name = strdup(data); +@@ -55,7 +55,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, + return -1; + break; + case NFTNL_EXPR_OBJREF_SET_ID: +- memcpy(&objref->set.id, data, sizeof(objref->set.id)); ++ memcpy(&objref->set.id, data, data_len); + break; + } + return 0; +diff --git a/src/expr/osf.c b/src/expr/osf.c +index 1e4ceb0..060394b 100644 +--- a/src/expr/osf.c ++++ b/src/expr/osf.c +@@ -25,13 +25,13 @@ static int nftnl_expr_osf_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_OSF_DREG: +- memcpy(&osf->dreg, data, sizeof(osf->dreg)); ++ memcpy(&osf->dreg, data, data_len); + break; + case NFTNL_EXPR_OSF_TTL: +- memcpy(&osf->ttl, data, sizeof(osf->ttl)); ++ memcpy(&osf->ttl, data, data_len); + break; + case NFTNL_EXPR_OSF_FLAGS: +- memcpy(&osf->flags, data, sizeof(osf->flags)); ++ memcpy(&osf->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/payload.c b/src/expr/payload.c +index 76d38f7..35cd10c 100644 +--- a/src/expr/payload.c ++++ b/src/expr/payload.c +@@ -43,28 +43,28 @@ nftnl_expr_payload_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_PAYLOAD_SREG: +- memcpy(&payload->sreg, data, sizeof(payload->sreg)); ++ memcpy(&payload->sreg, data, data_len); + break; + case NFTNL_EXPR_PAYLOAD_DREG: +- memcpy(&payload->dreg, data, sizeof(payload->dreg)); ++ memcpy(&payload->dreg, data, data_len); + break; + case NFTNL_EXPR_PAYLOAD_BASE: +- memcpy(&payload->base, data, sizeof(payload->base)); ++ memcpy(&payload->base, data, data_len); + break; + case NFTNL_EXPR_PAYLOAD_OFFSET: +- memcpy(&payload->offset, data, sizeof(payload->offset)); ++ memcpy(&payload->offset, data, data_len); + break; + case NFTNL_EXPR_PAYLOAD_LEN: +- memcpy(&payload->len, data, sizeof(payload->len)); ++ memcpy(&payload->len, data, data_len); + break; + case NFTNL_EXPR_PAYLOAD_CSUM_TYPE: +- memcpy(&payload->csum_type, data, sizeof(payload->csum_type)); ++ memcpy(&payload->csum_type, data, data_len); + break; + case NFTNL_EXPR_PAYLOAD_CSUM_OFFSET: +- memcpy(&payload->csum_offset, data, sizeof(payload->csum_offset)); ++ memcpy(&payload->csum_offset, data, data_len); + break; + case NFTNL_EXPR_PAYLOAD_FLAGS: +- memcpy(&payload->csum_flags, data, sizeof(payload->csum_flags)); ++ memcpy(&payload->csum_flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/queue.c b/src/expr/queue.c +index 54792ef..09220c4 100644 +--- a/src/expr/queue.c ++++ b/src/expr/queue.c +@@ -34,16 +34,16 @@ static int nftnl_expr_queue_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_QUEUE_NUM: +- memcpy(&queue->queuenum, data, sizeof(queue->queuenum)); ++ memcpy(&queue->queuenum, data, data_len); + break; + case NFTNL_EXPR_QUEUE_TOTAL: +- memcpy(&queue->queues_total, data, sizeof(queue->queues_total)); ++ memcpy(&queue->queues_total, data, data_len); + break; + case NFTNL_EXPR_QUEUE_FLAGS: +- memcpy(&queue->flags, data, sizeof(queue->flags)); ++ memcpy(&queue->flags, data, data_len); + break; + case NFTNL_EXPR_QUEUE_SREG_QNUM: +- memcpy(&queue->sreg_qnum, data, sizeof(queue->sreg_qnum)); ++ memcpy(&queue->sreg_qnum, data, data_len); + break; + } + return 0; +diff --git a/src/expr/quota.c b/src/expr/quota.c +index 60631fe..ddf232f 100644 +--- a/src/expr/quota.c ++++ b/src/expr/quota.c +@@ -33,13 +33,13 @@ static int nftnl_expr_quota_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_QUOTA_BYTES: +- memcpy("a->bytes, data, sizeof(quota->bytes)); ++ memcpy("a->bytes, data, data_len); + break; + case NFTNL_EXPR_QUOTA_CONSUMED: +- memcpy("a->consumed, data, sizeof(quota->consumed)); ++ memcpy("a->consumed, data, data_len); + break; + case NFTNL_EXPR_QUOTA_FLAGS: +- memcpy("a->flags, data, sizeof(quota->flags)); ++ memcpy("a->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/range.c b/src/expr/range.c +index 6310b79..96bb140 100644 +--- a/src/expr/range.c ++++ b/src/expr/range.c +@@ -34,10 +34,10 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_RANGE_SREG: +- memcpy(&range->sreg, data, sizeof(range->sreg)); ++ memcpy(&range->sreg, data, data_len); + break; + case NFTNL_EXPR_RANGE_OP: +- memcpy(&range->op, data, sizeof(range->op)); ++ memcpy(&range->op, data, data_len); + break; + case NFTNL_EXPR_RANGE_FROM_DATA: + return nftnl_data_cpy(&range->data_from, data, data_len); +diff --git a/src/expr/redir.c b/src/expr/redir.c +index 69095bd..9971306 100644 +--- a/src/expr/redir.c ++++ b/src/expr/redir.c +@@ -34,13 +34,13 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_REDIR_REG_PROTO_MIN: +- memcpy(&redir->sreg_proto_min, data, sizeof(redir->sreg_proto_min)); ++ memcpy(&redir->sreg_proto_min, data, data_len); + break; + case NFTNL_EXPR_REDIR_REG_PROTO_MAX: +- memcpy(&redir->sreg_proto_max, data, sizeof(redir->sreg_proto_max)); ++ memcpy(&redir->sreg_proto_max, data, data_len); + break; + case NFTNL_EXPR_REDIR_FLAGS: +- memcpy(&redir->flags, data, sizeof(redir->flags)); ++ memcpy(&redir->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/reject.c b/src/expr/reject.c +index f97011a..9090db3 100644 +--- a/src/expr/reject.c ++++ b/src/expr/reject.c +@@ -33,10 +33,10 @@ static int nftnl_expr_reject_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_REJECT_TYPE: +- memcpy(&reject->type, data, sizeof(reject->type)); ++ memcpy(&reject->type, data, data_len); + break; + case NFTNL_EXPR_REJECT_CODE: +- memcpy(&reject->icmp_code, data, sizeof(reject->icmp_code)); ++ memcpy(&reject->icmp_code, data, data_len); + break; + } + return 0; +diff --git a/src/expr/rt.c b/src/expr/rt.c +index 0ab2556..ff4fd03 100644 +--- a/src/expr/rt.c ++++ b/src/expr/rt.c +@@ -32,10 +32,10 @@ nftnl_expr_rt_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_RT_KEY: +- memcpy(&rt->key, data, sizeof(rt->key)); ++ memcpy(&rt->key, data, data_len); + break; + case NFTNL_EXPR_RT_DREG: +- memcpy(&rt->dreg, data, sizeof(rt->dreg)); ++ memcpy(&rt->dreg, data, data_len); + break; + } + return 0; +diff --git a/src/expr/socket.c b/src/expr/socket.c +index d0d8e23..7a25cdf 100644 +--- a/src/expr/socket.c ++++ b/src/expr/socket.c +@@ -33,13 +33,13 @@ nftnl_expr_socket_set(struct nftnl_expr *e, uint16_t type, + + switch (type) { + case NFTNL_EXPR_SOCKET_KEY: +- memcpy(&socket->key, data, sizeof(socket->key)); ++ memcpy(&socket->key, data, data_len); + break; + case NFTNL_EXPR_SOCKET_DREG: +- memcpy(&socket->dreg, data, sizeof(socket->dreg)); ++ memcpy(&socket->dreg, data, data_len); + break; + case NFTNL_EXPR_SOCKET_LEVEL: +- memcpy(&socket->level, data, sizeof(socket->level)); ++ memcpy(&socket->level, data, data_len); + break; + } + return 0; +diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c +index 898d292..97c321b 100644 +--- a/src/expr/synproxy.c ++++ b/src/expr/synproxy.c +@@ -23,13 +23,13 @@ static int nftnl_expr_synproxy_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_SYNPROXY_MSS: +- memcpy(&synproxy->mss, data, sizeof(synproxy->mss)); ++ memcpy(&synproxy->mss, data, data_len); + break; + case NFTNL_EXPR_SYNPROXY_WSCALE: +- memcpy(&synproxy->wscale, data, sizeof(synproxy->wscale)); ++ memcpy(&synproxy->wscale, data, data_len); + break; + case NFTNL_EXPR_SYNPROXY_FLAGS: +- memcpy(&synproxy->flags, data, sizeof(synproxy->flags)); ++ memcpy(&synproxy->flags, data, data_len); + break; + } + return 0; +diff --git a/src/expr/target.c b/src/expr/target.c +index 9bfd25b..8259a20 100644 +--- a/src/expr/target.c ++++ b/src/expr/target.c +@@ -46,7 +46,7 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type, + (const char *) data); + break; + case NFTNL_EXPR_TG_REV: +- memcpy(&tg->rev, data, sizeof(tg->rev)); ++ memcpy(&tg->rev, data, data_len); + break; + case NFTNL_EXPR_TG_INFO: + if (e->flags & (1 << NFTNL_EXPR_TG_INFO)) +diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c +index 4948392..9391ce8 100644 +--- a/src/expr/tproxy.c ++++ b/src/expr/tproxy.c +@@ -34,13 +34,13 @@ nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_TPROXY_FAMILY: +- memcpy(&tproxy->family, data, sizeof(tproxy->family)); ++ memcpy(&tproxy->family, data, data_len); + break; + case NFTNL_EXPR_TPROXY_REG_ADDR: +- memcpy(&tproxy->sreg_addr, data, sizeof(tproxy->sreg_addr)); ++ memcpy(&tproxy->sreg_addr, data, data_len); + break; + case NFTNL_EXPR_TPROXY_REG_PORT: +- memcpy(&tproxy->sreg_port, data, sizeof(tproxy->sreg_port)); ++ memcpy(&tproxy->sreg_port, data, data_len); + break; + } + +diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c +index 8089d0b..861e56d 100644 +--- a/src/expr/tunnel.c ++++ b/src/expr/tunnel.c +@@ -31,10 +31,10 @@ static int nftnl_expr_tunnel_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_TUNNEL_KEY: +- memcpy(&tunnel->key, data, sizeof(tunnel->key)); ++ memcpy(&tunnel->key, data, data_len); + break; + case NFTNL_EXPR_TUNNEL_DREG: +- memcpy(&tunnel->dreg, data, sizeof(tunnel->dreg)); ++ memcpy(&tunnel->dreg, data, data_len); + break; + } + return 0; +diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c +index dc867a2..2585579 100644 +--- a/src/expr/xfrm.c ++++ b/src/expr/xfrm.c +@@ -33,16 +33,16 @@ nftnl_expr_xfrm_set(struct nftnl_expr *e, uint16_t type, + + switch(type) { + case NFTNL_EXPR_XFRM_KEY: +- memcpy(&x->key, data, sizeof(x->key)); ++ memcpy(&x->key, data, data_len); + break; + case NFTNL_EXPR_XFRM_DIR: +- memcpy(&x->dir, data, sizeof(x->dir)); ++ memcpy(&x->dir, data, data_len); + break; + case NFTNL_EXPR_XFRM_SPNUM: +- memcpy(&x->spnum, data, sizeof(x->spnum)); ++ memcpy(&x->spnum, data, data_len); + break; + case NFTNL_EXPR_XFRM_DREG: +- memcpy(&x->dreg, data, sizeof(x->dreg)); ++ memcpy(&x->dreg, data, data_len); + break; + default: + return -1; diff --git a/SOURCES/0030-tests-Fix-objref-test-case.patch b/SOURCES/0030-tests-Fix-objref-test-case.patch new file mode 100644 index 0000000..86ee7ef --- /dev/null +++ b/SOURCES/0030-tests-Fix-objref-test-case.patch @@ -0,0 +1,38 @@ +From 9b450d7911b124884ceab1bc2df789505702d19f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 May 2024 22:52:28 +0200 +Subject: [PATCH] tests: Fix objref test case + +JIRA: https://issues.redhat.com/browse/RHEL-28515 +Upstream Status: libnftnl commit c2982f81e0d15fb3109112945c73b93a53e21348 + +commit c2982f81e0d15fb3109112945c73b93a53e21348 +Author: Phil Sutter +Date: Fri Dec 15 16:10:49 2023 +0100 + + tests: Fix objref test case + + Probably a c'n'p bug, the test would allocate a lookup expression + instead of the objref one to be tested. + + Fixes: b4edb4fc558ac ("expr: add stateful object reference expression") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + tests/nft-expr_objref-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/nft-expr_objref-test.c b/tests/nft-expr_objref-test.c +index 08e27ce..9e698df 100644 +--- a/tests/nft-expr_objref-test.c ++++ b/tests/nft-expr_objref-test.c +@@ -52,7 +52,7 @@ int main(int argc, char *argv[]) + b = nftnl_rule_alloc(); + if (a == NULL || b == NULL) + print_err("OOM"); +- ex = nftnl_expr_alloc("lookup"); ++ ex = nftnl_expr_alloc("objref"); + if (ex == NULL) + print_err("OOM"); + diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec index b77b8fc..495718b 100644 --- a/SPECS/libnftnl.spec +++ b/SPECS/libnftnl.spec @@ -1,20 +1,50 @@ +%define libnftnl_rpmversion 1.2.6 +%define libnftnl_specrelease 4 + Name: libnftnl -Version: 1.2.2 -Release: 1%{?dist} +Version: %{libnftnl_rpmversion} +Release: %{libnftnl_specrelease}%{?dist}%{?buildid} Summary: Library for low-level interaction with nftables Netlink's API over libmnl - License: GPLv2+ URL: https://netfilter.org/projects/libnftnl/ -Source0: https://www.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2 +Source0: %{url}/files/%{name}-%{version}.tar.xz + +Patch1: 0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch +Patch2: 0002-expr-fix-buffer-overflows-in-data-value-setters.patch +Patch3: 0003-set-buffer-overflow-in-NFTNL_SET_DESC_CONCAT-setter.patch +Patch4: 0004-set_elem-use-nftnl_data_cpy-in-NFTNL_SET_ELEM_-KEY-K.patch +Patch5: 0005-obj-ct_timeout-setter-checks-for-timeout-array-bound.patch +Patch6: 0006-udata-incorrect-userdata-buffer-size-validation.patch +Patch7: 0007-expr-Repurpose-struct-expr_ops-max_attr-field.patch +Patch8: 0008-expr-Call-expr_ops-set-with-legal-types-only.patch +Patch9: 0009-include-Sync-nf_log.h-with-kernel-headers.patch +Patch10: 0010-expr-Introduce-struct-expr_ops-attr_policy.patch +Patch11: 0011-expr-Enforce-attr_policy-compliance-in-nftnl_expr_se.patch +Patch12: 0012-chain-Validate-NFTNL_CHAIN_USE-too.patch +Patch13: 0013-table-Validate-NFTNL_TABLE_USE-too.patch +Patch14: 0014-flowtable-Validate-NFTNL_FLOWTABLE_SIZE-too.patch +Patch15: 0015-obj-Validate-NFTNL_OBJ_TYPE-too.patch +Patch16: 0016-set-Validate-NFTNL_SET_ID-too.patch +Patch17: 0017-table-Validate-NFTNL_TABLE_OWNER-too.patch +Patch18: 0018-obj-Do-not-call-nftnl_obj_set_data-with-zero-data_le.patch +Patch19: 0019-obj-synproxy-Use-memcpy-to-handle-potentially-unalig.patch +Patch20: 0020-utils-Fix-for-wrong-variable-use-in-nftnl_assert_val.patch +Patch21: 0021-object-getters-take-const-struct.patch +Patch22: 0022-obj-Return-value-on-setters.patch +Patch23: 0023-obj-Repurpose-struct-obj_ops-max_attr-field.patch +Patch24: 0024-obj-Call-obj_ops-set-with-legal-attributes-only.patch +Patch25: 0025-obj-Introduce-struct-obj_ops-attr_policy.patch +Patch26: 0026-obj-Enforce-attr_policy-compliance-in-nftnl_obj_set_.patch +Patch27: 0027-utils-Introduce-and-use-nftnl_set_str_attr.patch +Patch28: 0028-obj-Respect-data_len-when-setting-attributes.patch +Patch29: 0029-expr-Respect-data_len-when-setting-attributes.patch +Patch30: 0030-tests-Fix-objref-test-case.patch BuildRequires: libmnl-devel -BuildRequires: jansson-devel BuildRequires: gcc BuildRequires: make - -# replace old libnftables package -Provides: libnftables = %{version}-%{release} -Obsoletes: libnftables < 0-0.6 +#BuildRequires: autoconf +#BuildRequires: automake %description A library for low-level interaction with nftables Netlink's API over libmnl. @@ -22,9 +52,6 @@ A library for low-level interaction with nftables Netlink's API over libmnl. %package devel Summary: Development files for %{name} Requires: %{name}%{_isa} = %{version}-%{release} -# replace old libnftables-devel package -Provides: libnftables-devel = %{version}-%{release} -Obsoletes: libnftables-devel < 0-0.6 %description devel The %{name}-devel package contains libraries and header files for @@ -34,15 +61,17 @@ developing applications that use %{name}. %autosetup -p1 %build -%configure --disable-static --disable-silent-rules --with-json-parsing +# This is what autogen.sh (only in git repo) does - without it, patches changing +# Makefile.am cause the build system to regenerate Makefile.in and trying to use +# automake-1.14 for that which is not available in RHEL. +#autoreconf -fi +#rm -rf autom4te*.cache + +%configure --disable-static --disable-silent-rules %make_build %check %make_build check -# JSON parsing is broken on big endian, causing tests to fail. Fixes awaiting -# upstream acceptance: https://marc.info/?l=netfilter-devel&m=152968610931720&w=2 -#cd tests -#sh ./test-script.sh %install %make_install @@ -58,6 +87,47 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %{_includedir}/libnftnl %changelog +* Thu May 09 2024 Phil Sutter [1.2.6-4.el9] +- Bump release for side-tag build with fixed libmnl (Phil Sutter) [RHEL-28515] + +* Wed May 08 2024 Phil Sutter [1.2.6-3.el9] +- tests: Fix objref test case (Phil Sutter) [RHEL-28515] +- expr: Respect data_len when setting attributes (Phil Sutter) [RHEL-28515] +- obj: Respect data_len when setting attributes (Phil Sutter) [RHEL-28515] +- utils: Introduce and use nftnl_set_str_attr() (Phil Sutter) [RHEL-28515] +- obj: Enforce attr_policy compliance in nftnl_obj_set_data() (Phil Sutter) [RHEL-28515] +- obj: Introduce struct obj_ops::attr_policy (Phil Sutter) [RHEL-28515] +- obj: Call obj_ops::set with legal attributes only (Phil Sutter) [RHEL-28515] +- obj: Repurpose struct obj_ops::max_attr field (Phil Sutter) [RHEL-28515] +- obj: Return value on setters (Phil Sutter) [RHEL-28515] +- object: getters take const struct (Phil Sutter) [RHEL-28515] +- utils: Fix for wrong variable use in nftnl_assert_validate() (Phil Sutter) [RHEL-28515] +- obj: synproxy: Use memcpy() to handle potentially unaligned data (Phil Sutter) [RHEL-28515] +- obj: Do not call nftnl_obj_set_data() with zero data_len (Phil Sutter) [RHEL-28515] +- table: Validate NFTNL_TABLE_OWNER, too (Phil Sutter) [RHEL-28515] +- set: Validate NFTNL_SET_ID, too (Phil Sutter) [RHEL-28515] +- obj: Validate NFTNL_OBJ_TYPE, too (Phil Sutter) [RHEL-28515] +- flowtable: Validate NFTNL_FLOWTABLE_SIZE, too (Phil Sutter) [RHEL-28515] +- table: Validate NFTNL_TABLE_USE, too (Phil Sutter) [RHEL-28515] +- chain: Validate NFTNL_CHAIN_USE, too (Phil Sutter) [RHEL-28515] +- expr: Enforce attr_policy compliance in nftnl_expr_set() (Phil Sutter) [RHEL-28515] +- expr: Introduce struct expr_ops::attr_policy (Phil Sutter) [RHEL-28515] +- include: Sync nf_log.h with kernel headers (Phil Sutter) [RHEL-28515] +- expr: Call expr_ops::set with legal types only (Phil Sutter) [RHEL-28515] +- expr: Repurpose struct expr_ops::max_attr field (Phil Sutter) [RHEL-28515] +- udata: incorrect userdata buffer size validation (Phil Sutter) [RHEL-28515] +- obj: ct_timeout: setter checks for timeout array boundaries (Phil Sutter) [RHEL-28515] +- set_elem: use nftnl_data_cpy() in NFTNL_SET_ELEM_{KEY,KEY_END,DATA} (Phil Sutter) [RHEL-28515] +- set: buffer overflow in NFTNL_SET_DESC_CONCAT setter (Phil Sutter) [RHEL-28515] +- expr: fix buffer overflows in data value setters (Phil Sutter) [RHEL-28515] + +* Fri Oct 27 2023 Phil Sutter [1.2.6-2.el9] +- spec: Avoid variable name clash, add missing dist tag (Phil Sutter) [RHEL-14149] + +* Thu Oct 26 2023 Phil Sutter [1.2.6-1.el9] +- set: Do not leave free'd expr_list elements in place (Phil Sutter) [RHEL-14149] +- Rebase onto version 1.2.6 (Phil Sutter) [RHEL-14149] + * Wed Mar 15 2023 MSVSphere Packaging Team - 1.2.2-1 - Rebuilt for MSVSphere 9.1.