| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Save a good bunch of lines of code with this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
With this patch, nft_table_xml_parse does not duplicate the string
anymore, which is what most callers seem to need. This fixes memleaks
in several places in the code. Thus, this patch also adapts the code
to duplicate it when needed.
Based on patch from Arturo Borrero.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
==11917== 96 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11917== at 0x4C272B8: calloc (vg_replace_malloc.c:566)
==11917== by 0x4E3A46F: nft_rule_expr_alloc (expr.c:38)
==11917== by 0x4E3A331: nft_jansson_expr_parse (jansson.c:165)
==11917== by 0x4E36F66: nft_rule_json_parse (rule.c:542)
==11917== by 0x400EA4: main (nft-rule-json-add.c:68)
Reported-by: Álvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adapts JSON nodes to mimic current XML node tags.
Signed-off-by: Alvaro Neira Ayuso Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Fixed display compat_proto value and compat_flag if available.
Signed-off-by: Alvaro Neira Ayuso Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes some XML nodes with prefixes, as the example below
ilustrates.
Before:
<rule>
<rule_flags/>
<rule_family/>
<rule>
After:
<rule>
<flags>
<family>
</rule>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Should have been done in (ec75831 src: fully constify nft_*_get
functions).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When working with XML, it's desirable to work with nodes better than
attributes.
Table/chain/rules had attributes in their XML representation, and
this patch transform those to nodes, ie:
Before:
<table name="filter">
<family>ip</family>
<table_flags>0</table_flags>
</table>
After:
<table>
<name>filter</name>
<family>ip</family>
<table_flags>0</table_flags>
</table>
While at it:
* There was a lot of redundant code that is now collapsed with the
new nft_mxml_family_parse() helper function.
* I've added a small fix: additional validation for the name of
the current XML object, and also replace raw strtol calls to nft_strtoi.
* Also, all XML testfiles are updated to keep passing the parsing tests and
mantain the repo in consisten state.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds xfree, a replacement of free that accepts
const pointers. This helps to remove ugly castings that you usually
need to calm down gcc.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the version XML node and the version JSON field
in all our existing objects. The current versioning approach
consists of adding a version field to every object representation
in XML and JSON. While listing my entire rule-set, one can notice
that this approach is too bloated.
Once the library enters stable stage, if we need to obsolete a XML
node and a JSON field, we can follow this procedure:
1) Remove the XML node and the JSON field from the output, so fresh
outputs will not contain the old ones anymore.
2) Do not remove the parsing of the old XML node and the JSON field
inmediately. We have to keep supporting the parsing for a while
to avoid breaking the interpretion of old XML/JSON files. We can
spot a warning to warn about it, so users generate a fresh
output again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch moves common XML parsing code to nft_mxml_num_parse().
To handle this, the nft_strtoi() helper fuction is included.
I've changed some MXML_DESCEND[_FIRST] flags to avoid match a nested node under
some circumstances, ie, matching two nodes with the same name that are descendant.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch removes the default case in nft_*_attr_unset, thus, the
compiler will spot a warning if we add a new attribute in the future
and you forget to handle it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The functions nft_*_attr_is_set() is doing no modification
so it is possible to type it to const.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for position attribute which can be used
to insert a rule at a given position.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch refactors the getter code to simplify it. The default
cases have been removed so gcc will spot a warning if an attribute
is not handled appropriately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This redefines the meaning of nft_*_list_add to prepend, before this
patch it was appending, which was semantically wrong.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This functions check if a given nft_*_list is empty or not.
I found this quite useful while working with a full ruleset.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch improves default plain text output by mimicing the
default output of libnl-nft.
While at it, several %lu has been translated to use %"PRIu64"
for correctness.
[ I have added the policy to string translation --pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Move common code for XML parsing of expressions to the new
nft_mxml_expr_parse function.
This patch reduces the XML parsing code in 300 LOC.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
While at it, order possible switch cases of _snprintf.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch translates family values to display a string:
* ip if AF_INET
* ip6 if AF_INET6
* bridge if AF_BRIDGE
* arp if 0
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The compat XML info is now conditional both when printing and parsing.
It is only used by iptables-nftables.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch fixes a trailing space in rule xml_snprintf.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds a simplied iterator interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
In (dde2039 src: add nft_*_unset functions), I mangled Arturo's
patch to add a default case, but he was intentionally not adding
it to unset attributes that require no memory releases.
I prefered to add the attributes explicitly in the switch rather
on failing back on the default action.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
These functions unset the given attribute in each object and
release the data if needed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add version to XML chunks in case of future changes.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Noted while calling _snprintf functions consecutively.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Added in (51370f0 src: add support for XML parsing).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
These casting were useless.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds capabilities for parsing a XML table/chain/rule.
Some comments:
* The XML data is case sensitive
(so <chain>asd</chain> != <chain>ASD</chain> != <CHAIN>asd</CHAIN>)
* All exported functions receive XML and return an object (table|chain|rule).
* To compile the lib with XML parsing support, run './configure --with-xml-parsing'
* XML parsing is done with libmxml (http://minixml.org). XML parsing depends
on this external lib, this dependency is optional at compile time.
NOTE: expr/target and expr/match binary data are exported.
[ Fixed to compile without --with-xml-parsing --pablo ]
Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
| |
The caller should add it in case it needs it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Delete all \n and \t from XML output, any reasonable XML viewer
already does the nifty formatting for us.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The compat struct was not printed in XML. So, I think give output
format is the first step to parse it.
Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Exported symbol should be nft_rule_attr_get_u32, not nft_rule_attr_get_u64.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds support to get and set the attribute
NFT_{TABLE|CHAIN|RULE}_ATTR_FAMILY.
I found this useful when parsing a XML table|chain|rule (future patch).
Signed-off-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Propagate the type and flags parameter to the expressions, so we can
implement outputs in different formats.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add nft_rule_attr_get_u8 to obtain the family number.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
|
| |
|
|
|
|
| |
5c4d30c nf_tables: use 64-bits rule handle instead of 16-bits
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
It adds support for table, chain and rule handling.
This also includes expression handling for each rule.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
