RDKBNETWOR-80 : Transform to Nftables from Iptables #104
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reason for change: 1) Translate all the RDKB IPtables rules to nftables 2) write into /tmp/.nft and /tmp/.nft_v6 files and apply into netfilter 3) all the nftables rules are added under firewall_nft dir Test Procedure: RDKB Firewall functionality Risks: Medium Signed-off-by: Vijayaragavalu S vijayaragavalu.s@infosys.com
Contributor
Reason for change: 1) Resolved build errors 2)Bug fixes wrt iptables to nftables rules conversion for few cases Test Procedure: RDKB Firewall functionality Risks: Medium Signed-off-by: Vijayaragavalu S vijayaragavalu.s@infosys.com
Contributor
Reason for change: iptables to nftables rules conversion for extender , emta , nfq handler rules files Test Procedure: RDKB Firewall functionality Risks: Medium Signed-off-by: Vijayaragavalu S vijayaragavalu.s@infosys.com
Contributor
Reason for change: adapt these 2 newly added function in firewall nft ext file also get_ip_and_netmask_addr calculate_network_address Test Procedure: RDKB Firewall functionality Risks: Medium Signed-off-by: Vijayaragavalu S vijayaragavalu.s@infosys.com
Contributor
Contributor
Contributor
|
b'## WARNING: A Blackduck scan failure has been waived A prior failure has been upvoted
|
Reason for change: 1) build support for IPV6 nft file 2) Run time issues resolved for ipv4 and ipv6 nft Test Procedure: RDKB Firewall functionality Risks: Medium Signed-off-by: Vijayaragavalu S <vijayaragavalu.s@infosys.com>
Reason for change: 1) Resolve bridge mode issue and managed site Test Procedure: RDKB Firewall functionality Risks: Medium Signed-off-by: Vijayaragavalu S <vijayaragavalu.s@infosys.com>
vijayragavalu
force-pushed
the
feature/RDKBNETWOR-78
branch
from
98546e2 to
d853da4
Compare
… iptables (#147) Testing: RDKB Firewall functionality 1. Bootup device and check iptables -S. 2. Do syscfg set nft_enable 1 ; syscfg commit; reboot 3. Check nft list ruleset. (Testing is for utopia component only and to check core funtionality of iptables and nftables)
… iptables (#149) Testing: RDKB Firewall functionality 1. Bootup device and check iptables -S. 2. Do syscfg set nft_enable 1 ; syscfg commit; reboot 3. Check nft list ruleset. (Testing is for utopia component only and to check core funtionality of iptables and nftables) Co-authored-by: vijayragavalu <154231347+vijayragavalu@users.noreply.github.com>
… iptables(part 2) (#154)
#157) … iptables(part 3) Added additional check whether firewall_ipt and firewall_nft is present.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| to.sin_family = AF_INET; | ||
| to.sin_addr.s_addr = inet_addr(dstIp); // you can also use inet_aton() | ||
| to.sin_port = htons(dstPort); | ||
| memset(to.sin_zero, '\0', sizeof(to.sin_zero)); |
Check failure
Code scanning / CodeQL
Call to `memset` may be deleted High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 12 days ago
To fix this issue, replace the use of memset with a function guaranteed not to be optimized away by compilers. If the target platform/compiler supports C11, use memset_s. If not, use a secure zeroing function like explicit_bzero (on some platforms) or a fallback implementation if neither is available. Because you can only edit the region shown, the best approach in the given context is to use memset_s if available, falling back to memset otherwise. This involves:
- Including a feature test for
memset_sat the top of the file. - Replacing
memsetat line 140 withmemset_sand adding a fallback in case of non-support (as per the C11 standard:memset_sreturns nonzero if unsupported). - If you can only edit the code as shown, you can directly replace
memsetwithmemset_sand ensure the required header is present.
Suggested changeset
1
source/firewall_nft/raw_socket_send.c
| @@ -137,7 +137,12 @@ | ||
| to.sin_family = AF_INET; | ||
| to.sin_addr.s_addr = inet_addr(dstIp); // you can also use inet_aton() | ||
| to.sin_port = htons(dstPort); | ||
| memset(to.sin_zero, '\0', sizeof(to.sin_zero)); | ||
| // Use memset_s if available to ensure zeroing is not optimized out | ||
| #if defined(__STDC_LIB_EXT1__) | ||
| memset_s(to.sin_zero, sizeof(to.sin_zero), 0, sizeof(to.sin_zero)); | ||
| #else | ||
| memset(to.sin_zero, 0, sizeof(to.sin_zero)); // Fallback if memset_s not available | ||
| #endif | ||
|
|
||
| if((sent = write(rawsock, pkt, pkt_len)) != pkt_len) | ||
| { |
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reason for change: 1) Translate all the RDKB IPtables rules to nftables
2) write into /tmp/.nft and /tmp/.nft_v6 files and apply into netfilter
3) all the nftables rules are added under firewall_nft dir
Test Procedure: RDKB Firewall functionality
Risks: Medium
Signed-off-by: Vijayaragavalu S vijayaragavalu.s@infosys.com