CONFIG_SHELL=/bin/dash ./configure
breaks with:
./config.status: 2044: Syntax error: Bad for loop variable
Fixes: 64c07e38f049 ("table: Embed creating nft version into userdata")
Signed-off-by: Jan Palus <jpalus@fastmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
afl comes with a compiler frontend that can add instrumentation suitable
for running nftables via the "afl-fuzz" fuzzer.
This change adds a "--with-fuzzer" option to configure script and enables
specific handling in nftables and libnftables to speed up the fuzzing process.
It also adds the "--fuzzer" command line option.
afl-fuzz initialisation gets delayed until after the netlink context is set up
and symbol tables such as (e.g. route marks) have been parsed.
When afl-fuzz restarts the process with a new input round, it will
resume *after* this point (see __AFL_INIT macro in main.c).
With --fuzzer <stage>, nft will perform multiple fuzzing rounds per
invocation: this increases processing rate by an order of magnitude.
The argument to '--fuzzer' specifies the last stage to run:
1: 'parser':
Only run / exercise the flex/bison parser.
2: 'eval': stop after the evaluation phase.
This attempts to build a complete ruleset in memory, does
symbol resolution, adds needed shift/masks to payload instructions
etc.
3: 'netlink-ro':
'netlink-ro' builds the netlink buffer to send to the kernel,
without actually doing so.
4: 'netlink-rw':
Pass generated command/ruleset will be passed to the kernel.
You can combine it with the '--check' option to send data to the kernel
but without actually committing any changes.
This could still end up triggering a kernel crash if there are bugs
in the valiation / transaction / abort phases.
Use 'netlink-ro' if you want to prevent nft from ever submitting any
changes to the kernel or if you are only interested in fuzzing nftables
and its libraries.
In case a kernel splat is detected, the fuzzing process stops and all further
fuzzer attemps are blocked until reboot.
Signed-off-by: Florian Westphal <fw@strlen.de>
If the systemd service file is not installed, currently the related man-page
and example nft file are still installed. Instead only install them when the
service file is installed.
Fixes: 107580cfa85c ("build: disable --with-unitdir by default")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
With all test suites running all variants by default, add the various
testsuite runners to TESTS variable so 'make check' will execute them.
Introduce --enable-distcheck configure flag for internal use during
builds triggered by 'make distcheck'. This flag will force TESTS
variable to remain empty, so 'make check' run as part of distcheck will
not call any test suite: Most of the test suites require privileged
execution, 'make distcheck' usually doesn't and probably shouldn't.
Assuming the latter is used during the release process, it may even not
run on a machine which is up to date enough to generate meaningful test
suite results. Hence spare the release process from the likely pointless
delay imposed by 'make check'.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Appending to CFLAGS from configure.ac like this was too naive, passing
custom CFLAGS in make arguments overwrites it. Extend AM_CFLAGS instead.
Fixes: 64c07e38f0494 ("table: Embed creating nft version into userdata")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Upon listing a table which was created by a newer version of nftables,
warn about the potentially incomplete content.
Suggested-by: Florian Westphal <fw@strlen.de>
Cc: Dan Winship <danwinship@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Same behaviour as in the original patch:
--with-unitdir auto-detects the systemd unit path.
--with-unitdir=PATH uses the PATH
no --with-unitdir means this does not install the systemd unit file.
INSTALL file description looks fine for what this does after this
patch.
While at this, extend tests/build/ to cover for this new option.
Fixes: c4b17cf830510 ("tools: add a systemd unit for static rulesets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Merge the Makefile.am under "doc/" into the toplevel Makefile.am. This
is a step in the effort of dropping recursive make.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Merge the Makefile.am under "examples/" into the toplevel Makefile.am.
This is a step in the effort of dropping recursive make.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Merge the Makefile.am under "src/" into the toplevel Makefile.am. This
is a step in the effort of dropping recursive make.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Merge the Makefile.am under "files/" into the toplevel Makefile.am. This
is a step in the effort of dropping recursive make.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Merge the Makefile.am under "py/" into the toplevel Makefile.am. This is
a step in the effort of dropping recursive make.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Switch from recursive-make to a single top-level Makefile. This is the
first step, the following patches will continue this.
Unlike meson's subdir() or C's #include, automake's SUBDIRS= does not
include a Makefile. Instead, it calls `make -C $dir`.
https://www.gnu.org/software/make/manual/html_node/Recursion.htmlhttps://www.gnu.org/software/automake/manual/html_node/Subdirectories.html
See also, "Recursive Make Considered Harmful".
https://accu.org/journals/overload/14/71/miller_2004/
This has several problems, which we an avoid with a single Makefile:
- recursive-make is harder to maintain and understand as a whole.
Recursive-make makes sense, when there are truly independent
sub-projects. Which is not the case here. The project needs to be
considered as a whole and not one directory at a time. When
we add unit tests (which we should), those would reside in separate
directories but have dependencies between directories. With a single
Makefile, we see all at once. The build setup has an inherent complexity,
and that complexity is not necessarily reduced by splitting it into more files.
On the contrary it helps to have it all in once place, provided that it's
sensibly structured, named and organized.
- typing `make` prints irrelevant "Entering directory" messages. So much
so, that at the end of the build, the terminal is filled with such
messages and we have to scroll to see what even happened.
- with recursive-make, during build we see:
make[3]: Entering directory '.../nftables/src'
CC meta.lo
meta.c:13:2: error: #warning hello test [-Werror=cpp]
13 | #warning hello test
| ^~~~~~~
With a single Makefile we get
CC src/meta.lo
src/meta.c:13:2: error: #warning hello test [-Werror=cpp]
13 | #warning hello test
| ^~~~~~~
This shows the full filename -- assuming that the developer works from
the top level directory. The full name is useful, for example to
copy+paste into the terminal.
- single Makefile is also faster:
$ make && perf stat -r 200 -B make -j
I measure 35msec vs. 80msec.
- recursive-make limits parallel make. You have to craft the SUBDIRS= in
the correct order. The dependencies between directories are limited,
as make only sees "LDADD = $(top_builddir)/src/libnftables.la" and
not the deeper dependencies for the library.
- I presume, some people like recursive-make because of `make -C $subdir`
to only rebuild one directory. Rebuilding the entire tree is already very
fast, so this feature seems not relevant. Also, as dependency handling
is limited, we might wrongly not rebuild a target. For example,
make check
touch src/meta.c
make -C examples check
does not rebuild "examples/nft-json-file".
What we now can do with single Makefile (and better than before), is
`make examples/nft-json-file`, which works as desired and rebuilds all
dependencies.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
We should aim to use the thread-safe variants of getprotoby{name,number}
and getservbyport(). However, they may not be available with other libc,
so it requires a configure check. As that is cumbersome, add wrappers
that do that at one place.
These wrappers are thread-safe, if libc provides the reentrant versions.
Use them.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
With Python distutils and setuptools going deprecated, remove
integration with autotools. This integration is causing issues
in modern environments.
Note that setup.py is still left in place under the py/ folder.
Update INSTALL file to refer to Python support and setup.py.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Use a more modern alternative to bzip2.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Create an example folder to add example source code files to show how to
use libnftables. Add first example program using the buffer API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
autoconf complains about three obsolete macros.
`AC_CONFIG_HEADER` has been superseded by `AC_CONFIG_HEADERS`, so
replace it.
`AM_PROG_LEX` calls `AC_PROG_LEX` with no arguments, but this usage is
deprecated. The only difference between `AM_PROG_LEX` and `AC_PROG_LEX`
is that the former defines `$LEX` as "./build-aux/missing lex" if no lex
is found to ensure a useful error is reported when make is run. How-
ever, the configure script checks that we have a working lex and exits
with an error if none is available, so `$LEX` will never be called and
we can replace `AM_PROG_LEX` with `AC_PROG_LEX`.
`AM_PROG_LIBTOOL` has been superseded by `LT_INIT`, which is already in
configure.ac, so remove it.
We can also replace `AC_DISABLE_STATIC` with an argument to `LT_INIT`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Update release name based on the Fearless Fosdick series: Prudence Pimpleton.
Bump dependencies on libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Update release name based on the Fearless Fosdick series: E.D.S.
E.D.S. is the robotic "Electronic Detective Substitute" appearing in the
"Hole Story".
Bump dependencies on libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Garver says: "It would probably be better to use the automake macro
AM_PATH_PYTHON. [...] The above is fine for now."
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Update release name based on the Fearless Fosdick series: Anyface.
Bump dependencies on libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Update release name based on Jazz series, Gene Krupa's "Capital Idea".
Bump dependencies on libmnl and libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Commit 4f2813a313ae ("build: Include generated man pages in dist
tarball") skips AC_CHECK_PROG for A2X altogether if doc/nft.8 is
already present.
Now, starting from a clean situation, we can have this sequence:
./configure # doc/nft.8 not there, A2X set in doc/Makefile
make # builds doc/nft.8
./configure # doc/nft.8 is there, A2X left empty in doc/Makefile
make clean # removes doc/nft.8
make
resulting in:
[...]
GEN nft.8
/bin/sh: -L: command not found
make[2]: *** [Makefile:639: nft.8] Error 127
and the only way to get out of this is to issue ./configure again
after make clean, which is rather unexpected.
Instead of skipping AC_CHECK_PROG when doc/nft.8 is present, keep
it and simply avoid returning failure if a2x(1) is not available but
doc/nft.8 was built, so that A2X is properly set in doc/Makefile
whenever needed.
Fixes: 4f2813a313ae ("build: Include generated man pages in dist tarball")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The generated files are included in the tarballs already, but
configure.ac was coded to fail if yacc/lex were not found regardless.
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Most projects ship pre-generated man pages in the distribution tarball
so that builders don't need the documentation tools installed, similar
to how bison-generated sources are included.
To do this, we conditionalize the presence check of a2x on whether nft.8
already exists in the source directory, as it would exist if included in
the distribution tarball.
Secondly, we move the 'if BUILD_MAN' conditional to around the man page
generation rules. This ensures that the man pages are unconditionally
installed. Also only add the man pages to CLEANFILES if their generation
is enabled.
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
