summaryrefslogtreecommitdiffstats
path: root/src/expr/reject.c
Commit message (Collapse)AuthorAgeFilesLines
* src: remove nftnl_rule_cmp() and nftnl_expr_cmp()Pablo Neira Ayuso2018-10-241-16/+0
| | | | | | | | | | | | | | These functions are not very useful, rule comparison from this layer does not work well with implicit set definitions. This infrastructure was added as an attempt to support for deletion by name from this layer, which should be done from higher level libnftables library. Finally, we never had a client for this code in git.netfilter.org. Let's remove it and bump libversion for safety reasons. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use memcpy() to handle potentially unaligned dataMatt Turner2018-10-191-2/+2
| | | | | | | | | | | | Rolf Eike Beer <eike@sf-mail.de> reported that nft-expr_quota-test fails with a SIGBUS on SPARC due to unaligned accesses. This patch resolves that and fixes additional sources of unaligned accesses matching the same pattern. Both nft-expr_quota-test and nft-expr_objref-test generated unaligned accesses on DEC Alpha. Bug: https://bugs.gentoo.org/666448 Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove json supportPablo Neira Ayuso2018-10-151-37/+0
| | | | | | We have better json support in libnftables these days. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: no need to nul-terminate buffer from expression ->snprintf indirectionPablo Neira Ayuso2017-10-041-3/+0
| | | | | | | ->snprintf() is always called via nftnl_expr_snprintf() wrapper, which is already dealing with this corner case for us. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Buffer is null terminated.Varsha Rao2017-09-271-0/+3
| | | | | | | In _snprintf() functions definition the buffer is null terminated. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove libmxml supportArturo Borrero2016-09-231-24/+0
| | | | | | | | | | | | | | | | | | | This patch removes the libmxml integration in libnftnl, since we have JSON in place and there is no need to support two at the same time. The JSON support is much better, for example libjansson has a better parsing error reporting. Moreover, libmxml 2.10 breaks the integration with libnftnl somehow, as reported in Debian bug #83870 [0]. Also, the XML support inside libnftnl has never been in good shape, with several tiny inconsitencies. [0] https://bugs.debian.org/838370 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Implement rule comparisonCarlos Falgueras García2016-08-171-0/+16
| | | | | | | | | | | | | | | | | | | | This patch implements the function: bool nftnl_rule_cmp(const struct nftnl_rule *r1, const struct nftnl_rule *r2) for rule comparison. Expressions within rules need to be compared, so also has been created the function: bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2); Also includes all expression comparators. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: constify object arguments to various functionsPatrick McHardy2016-05-091-4/+4
| | | | | | | | | flow table support needs constant object arguments to printing functions to avoid ugly casts. While at it, also constify object arguments to message construction, destructor and a few helper functions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename nftnl_rule_expr to nftnl_exprPablo Neira Ayuso2015-09-071-27/+27
| | | | | | | Use a shorter name for this, morever this can be used from sets so the _rule_ is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename existing functions to use the nftnl_ prefixPablo Neira Ayuso2015-09-071-60/+60
| | | | | | | | | So we can use the nft_* prefix anytime soon for our upcoming higher level library. After this patch, the nft_* symbols become an alias of the nftnl_* symbols. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: restore static array with expression operationsPablo Neira Ayuso2015-03-231-5/+0
| | | | | | | | | | | | | We cannot use __attribute__((constructor)) to register the supported expressions in runtime when the library is statically linked. This lead us to some explicit libnftnl_init() function that needs to be called from the main() function of the client program. This patch reverts 4dd0772 ("expr: use __attribute__((constructor)) to register expression"). Reported-by: Laurent Bercot <ska-devel@skarnet.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: split internal.h is smaller filesPablo Neira Ayuso2015-02-171-2/+0
| | | | | | | | | The internal.h file started being a small file with private definitions. Its size has been increasing over time more and more, so let's split this in small header files that map to the corresponding class where the functions belong to. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate XML/JSON exportationPablo Neira Ayuso2014-11-101-40/+11
| | | | | | | | | | | | | | Add new buffer class to consolidate the existing code to export objects in XML/JSON and use it. We save ~700 LOC with this change. The rule and set objects are not yet consolidated. It seems this would require some specific glue code per representation type since lists are arranged differently. This also consolidates the tag names, so we make sure the same are used from XML and JSON by placing them in include/buffer.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: stricter netlink attribute length validationPablo Neira Ayuso2014-07-201-8/+4
| | | | | | | | | | | | If the kernel sends us different data length for a given attribute, stop further processing and indicate that an ABI breakage has ocurred. This is an example of the (hypothetical) message that is shown in that case: nf_tables kernel ABI is broken, contact your vendor. table.c:214 reason: Numerical result out of range Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: reject: Do not print unset values in jsonAna Rey2014-06-051-11/+20
| | | | | | | | | | | | | | | | It changes the parse and the snprint functions to omit unset values. If It uses this rule: nft add rule ip test output input It gets this json file: [...] "expr":[{"type":"reject","type":0,"code":0}]} Now, That rule creates this json file without null values: [...] "expr":[{"type":"reject"}]} Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: reject: Convert the type of a variableAna Rey2014-06-051-1/+1
| | | | | | | Convert the type of a variable from uint16_t to uint8_t. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: reject: Do not print unset values in xmlAna Rey2014-06-051-9/+17
| | | | | | | | | | | | | | | | | | | | | | | | | It changes the parse and the snprint functions to omit unset values. If we used this rule: nft add rule ip test output reject It gets this xml file: [...] <expr type="reject"> <type>0</type> <code>0</code> </expr> </rule></nftables> Now, That rule creates this xml file without null values: [...] <expr type="reject"> </expr> </rule></nftables> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: reject: Use nft_rule_expr_set_* in the xmlAna Rey2014-06-051-9/+6
| | | | | | Code refactoring to use nft_rule_expr_set_* in parse functions. Signed-off-by: Ana Rey <anarey@gmail.com>
* expr: reject: Add nft_rule_expr_reject_snprinf_* functionsAna Rey2014-06-051-10/+32
| | | | | | | | | | | | Code refactoring in nft_rule_expr_reject_snprinf functions. This process adds three new functions: * nft_rule_expr_reject_snprinf_default * nft_rule_expr_reject_snprinf_xml * nft_rule_expr_reject_snprinf_json Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rename library to libnftnllibnftnl-1.0.0Pablo Neira Ayuso2014-01-201-2/+2
| | | | | | We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: new error reporting approach for XML/JSON parsersÁlvaro Neira Ayuso2014-01-061-6/+10
| | | | | | | | | | | | | | I have added a new structure for reporting some errors in parser that we can't cover with errno. In this patch, we have three errors that we can't cover with errno: NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input NFT_PARSE_EMISSINGNODE : Missing node in our input NFT_PARSE_EBADTYPE : Wrong type value in a node Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unify parse and output typesÁlvaro Neira Ayuso2013-11-141-3/+3
| | | | | | | | | Unify parse and output types that are redundant to all existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT] are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML]. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add rejectPablo Neira Ayuso2013-10-271-0/+213
This patch adds support for the reject expression. Tested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>