| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
This patch fixes some leaks in the json parsing function. After this patch,
we use nft_jansson_free_root. This function uses json_decref and it
decrements the reference count and it releases the node if needed.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Replace existing code to use nft_mxml_str_parse.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
With this patch, nft_table_xml_parse does not duplicate the string
anymore, which is what most callers seem to need. This fixes memleaks
in several places in the code. Thus, this patch also adapts the code
to duplicate it when needed.
Based on patch from Arturo Borrero.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since the 'use' attribute in a chain can't be set, ignore it in the
XML printing.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Refactor some existing code with the new function nft_jansson_family.
Signed-off-by: Alvaro Neira Ayuso Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Remove a good bunch of LOC with this cleanup.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When working with XML, it's desirable to work with nodes better than
attributes.
Table/chain/rules had attributes in their XML representation, and
this patch transform those to nodes, ie:
Before:
<table name="filter">
<family>ip</family>
<table_flags>0</table_flags>
</table>
After:
<table>
<name>filter</name>
<family>ip</family>
<table_flags>0</table_flags>
</table>
While at it:
* There was a lot of redundant code that is now collapsed with the
new nft_mxml_family_parse() helper function.
* I've added a small fix: additional validation for the name of
the current XML object, and also replace raw strtol calls to nft_strtoi.
* Also, all XML testfiles are updated to keep passing the parsing tests and
mantain the repo in consisten state.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
We have several char * field that were not constify to avoid
gcc compilation warnings when calling free. Since (99d2574 src:
add xfree and use it), we can fully constify these objects
fields without trouble.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds xfree, a replacement of free that accepts
const pointers. This helps to remove ugly castings that you usually
need to calm down gcc.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Note: I've used MXML_DESCEND_FIRST flag when calling nft_mxml_str_parse()
to ensure that the parsing travels from the top of the chain XML tree.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
|
| |
If neither XML_PARSING nor JSON_PARSING are defined (libnftables configured
without XML/JSON parsing support), a warning is produced due to unused
nft_str2hooknum() function.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch deletes the <properties> node in chain and table XML objects.
For this to work, the first tree search with MXML_DESCEND_FIRST flag is moved
to the next node.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
nft_str2hooknum() should return -1 if no hooknum was found.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add function for parsing chains in format JSON.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
I have removed the properties node from chain because it's a node without relevant information
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use nft_verdict2str function instead.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the version XML node and the version JSON field
in all our existing objects. The current versioning approach
consists of adding a version field to every object representation
in XML and JSON. While listing my entire rule-set, one can notice
that this approach is too bloated.
Once the library enters stable stage, if we need to obsolete a XML
node and a JSON field, we can follow this procedure:
1) Remove the XML node and the JSON field from the output, so fresh
outputs will not contain the old ones anymore.
2) Do not remove the parsing of the old XML node and the JSON field
inmediately. We have to keep supporting the parsing for a while
to avoid breaking the interpretion of old XML/JSON files. We can
spot a warning to warn about it, so users generate a fresh
output again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch moves common XML parsing code to nft_mxml_num_parse().
To handle this, the nft_strtoi() helper fuction is included.
I've changed some MXML_DESCEND[_FIRST] flags to avoid match a nested node under
some circumstances, ie, matching two nodes with the same name that are descendant.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch removes the default case in nft_*_attr_unset, thus, the
compiler will spot a warning if we add a new attribute in the future
and you forget to handle it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The functions nft_*_attr_is_set() is doing no modification
so it is possible to type it to const.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch refactors the getter code to simplify it. The default
cases have been removed so gcc will spot a warning if an attribute
is not handled appropriately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
In (74ccff7 chain: json: use string to identify policy), the
json support for chain was unintentionally swapping the table
name and the family.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This redefines the meaning of nft_*_list_add to prepend, before this
patch it was appending, which was semantically wrong.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
* if we don't have hooknum we don't need to print the policy tag
* If we have hooknum, i have used the policy2str function for printing the policy with
"accept" string or "drop" string
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This functions check if a given nft_*_list is empty or not.
I found this quite useful while working with a full ruleset.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch improves default plain text output by mimicing the
default output of libnl-nft.
While at it, several %lu has been translated to use %"PRIu64"
for correctness.
[ I have added the policy to string translation --pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
While at it, order possible switch cases of _snprintf.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Now the <policy> node is using "accept" or "drop".
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch translates family values to display a string:
* ip if AF_INET
* ip6 if AF_INET6
* bridge if AF_BRIDGE
* arp if 0
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch translates the Netfilter hooknumber to a readable string.
Useful for printing and parsing in XML and JSON formats.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This attribute was not approapriately set in most cases.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds a simplied iterator interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
In (dde2039 src: add nft_*_unset functions), I mangled Arturo's
patch to add a default case, but he was intentionally not adding
it to unset attributes that require no memory releases.
I prefered to add the attributes explicitly in the switch rather
on failing back on the default action.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
These functions unset the given attribute in each object and
release the data if needed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add version to XML chunks in case of future changes.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
These casting were useless.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds capabilities for parsing a XML table/chain/rule.
Some comments:
* The XML data is case sensitive
(so <chain>asd</chain> != <chain>ASD</chain> != <CHAIN>asd</CHAIN>)
* All exported functions receive XML and return an object (table|chain|rule).
* To compile the lib with XML parsing support, run './configure --with-xml-parsing'
* XML parsing is done with libmxml (http://minixml.org). XML parsing depends
on this external lib, this dependency is optional at compile time.
NOTE: expr/target and expr/match binary data are exported.
[ Fixed to compile without --with-xml-parsing --pablo ]
Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
| |
And constify data passed to nft_chain_attr_set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The uint32_t flags attribute is internal, so no need to
export via XML.
Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
The caller should add it in case it needs it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Delete all \n and \t from XML output, any reasonable XML viewer
already does the nifty formatting for us.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds support to get and set the attribute
NFT_{TABLE|CHAIN|RULE}_ATTR_FAMILY.
I found this useful when parsing a XML table|chain|rule (future patch).
Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are some problems in using attributes:
* they cannot contain multiple values (child elements can)
* they are not easily expandable (for future changes)
* they cannot describe structures (child elements can)
* they are more difficult to manipulate by program code
* attribute values are not easy to test against a DTD
Extracted from "XML Elements vs. Attributes" at:
http://www.w3schools.com/dtd/dtd_el_vs_attr.asp
For more information.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Support the new approach for chain renaming based on the chain
handle.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
