| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we parse a ruleset which has a rule using a set. First step is to
parse the set, set up an ID and add it to a set list. Later, we use this
set list to find the set associated to the rule and we set up the set ID
to the expression (lookup expression) of the rule.
The problem is that if we return this set to the callback function
nft_ruleset_parse_file_cb() and we free this set, we have a crash when
we try to iterate in the set list.
This patch solves it, cloning the set and adding the new set to the set
list.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The internal.h file started being a small file with private definitions.
Its size has been increasing over time more and more, so let's split
this in small header files that map to the corresponding class where the
functions belong to.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to parse the new command tag in XML/JSON. This
patch adds two new functions:
* nft_ruleset_parse_file_cb
* nft_ruleset_parse_buffer_cb
The idea is to invoke the callback function that is passed as parameter is
called for each object that is parsed from the corresponding input. Each
callback has access to the nft_parse_ctx structure that provides the necessary
context such as the command, the object type and the object itself.
This change also adds support to update the content of a set incrementally.
{"nftables":[{"add":[{"element":{"name":"blackhole","table":"filter",
"family":"ip","key_type":7,"key_len":4,"set_elem":[{"key":{
"reg":{"type":"value","len":4,"data0":"0x0403a8c0"}}}]}}]}]}
This also patch consolidates the xml/json ruleset import path.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we can't do incremental updates via JSON/XML.
This patch enriches the existing output to indicate the kind of
update that you want to perform.
So, if we have a ruleset like:
table ip filter {
chain input {
type filter hook input priority 0;
}
}
The new output looks like:
{"nftables":[{"add":[{"table":{"name":"filter",...}}]}]}
^^^^^
Where we explicitly indicate that we want to add a table.
We support all the actions that we can do with nft, they are:
- Add, delete and flush tables and chains.
- Add, delete, replace and insert rules.
- Add and delete sets.
- Add and delete set elements.
- Flush ruleset.
You only need to add the command tag:
{"nftables":[{"delete":[{...}, {...},...}]}]}
^^^^^^^^
The possible command tags that you can use are "add", "delete", "insert",
"replace" and "flush".
- Flush table or chain, eg.:
{"nftables":[{"flush":[{"table":{"name":...}}]}]}
- Delete table, chain, set or rule:
{"nftables":[{"delete":[{"chain":{"name":...}]}]}
- Replace a rule (you have to specify the handle):
{"nftables":[{"replace":[{"rule":{...}}]}]}
- Insert a rule:
{"nftables":[{"insert":[{"rule":{...}}]}]}
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch refactors code to parse the set in two functions
nft_jansson_parse_set_info and nft_jansson_parse_set. These changes are
used in follow up patches.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Currently, we create iterator without test if the list is empty. If the
list is empty, we have a crash when we set up the current element. With
this patch, we test if the list is empty before to create the iterator.
If the list is empty the iterator return NULL.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Extends this function to attach the set to the rule through the set_idi.
If it doesn't exist in the list, maybe the set already exists in the
kernel. In that case, we don't set any id.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In commit ff62959("set: add support for set mechanism selection") the
support for parsing the nested attribute (NFTA_SET_DESC) was incorrect.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to select the set mechanism.
The kernel support was added in commit:
c50b960 netfilter: nf_tables: implement proper set selection
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the kernel sends us different data length for a given attribute,
stop further processing and indicate that an ABI breakage has ocurred.
This is an example of the (hypothetical) message that is shown in that
case:
nf_tables kernel ABI is broken, contact your vendor.
table.c:214 reason: Numerical result out of range
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Free memory in the same function that is reserved.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It changes the parse and the snprint functions to omit unset values.
This json file is gotten for a set:
{
"set": {
"name": "mi6set3",
"table": "test6",
"flags": "0",
"family": "unknown",
"key_type": "0",
"key_len": "0",
"set_elem": [
{
"flags": "0",
"key": {
"data_reg": {
"type": "value",
"len": "16",
"data0": "0x000080fe",
"data1": "0x00000000",
"data2": "0xffb30202",
"data3": "0x89001efe"
Now, This json file is gotten for a set without unset elements.
{
"set": {
"name": "mi6set3",
"table": "test6",
"family": "unknown",
"set_elem": [
{
"key": {
"data_reg": {
"type": "value",
"len": "16",
"data0": "0x000080fe",
"data1": "0x00000000",
"data2": "0xffb30202",
"data3": "0x89001efe"
[ Note: These fields are unset when they are obtained from the set element
information --pablo. ]
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It changes the parse and the snprint functions to omit unset values.
This xml file is gotten for a set:
<set>
<family>unknown</family>
<table>test</table>
<name>miset</name>
<flags>0</flags>
<key_type>0</key_type>
<key_len>0</key_len>
<set_elem>
<flags>0</flags>
<key>
<data_reg type="value">
<len>4</len>
<data0>0x0401a8c0</data0>
</data_reg>
</key>
</set_elem>
<set_elem>
<flags>0</flags>
<key>
<data_reg type="value">
<len>4</len>
<data0>0x0501a8c0</data0>
</data_reg>
</key>
</set_elem>
</set>
Now, this xml file is gotten without unset values:
<set>
<family>unknown</family>
<table>test</table>
<name>miset</name>
<set_elem>
<key>
<data_reg type="value">
<len>4</len>
<data0>0x00000002</data0>
</data_reg>
</key>
</set_elem>
<set_elem>
<key>
<data_reg type="value">
<len>4</len>
<data0>0x0401a8c0</data0>
</data_reg>
</key>
</set_elem>
</set>
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Code refactoring to use nft_rule_expr_set_* in parse functions.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add the set ID (u32) which allows us to uniquely identify the set
in the batch that is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch uses the flag option of each output function to print an
event wrapper string in each object.
In order to use this functionality, the caller must pass the
corresponding flags: NFT_OF_EVENT_NEW / NFT_OF_EVENT_DEL.
(I have slightly refactorized the original code to add the xml/json
header and footer --pablo).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you try to obtain an unset attribute, you hit an assertion error
that should not happen. Fix this by checking if the attribute is
unset, otherwise skip the assertion checking.
Now that we have that nft_assert takes the data parameter, we can also
validate if someone is using the setter passing NULL, which is illegal.
So let's add an assertion for that as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
We have to check if mnl_attr_parse() returns an error, which means that it
failed to validate and retrieve the attributes.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds two functions that allows you to validate the size
of the attribute. This new functions provide a replacement for
nft_rule_attr_set and nft_rule_attr_get.
The data_len parameter was already passed to the {_set|_get} funcion
in expressions. For consistency, add nft_rule_expr_{set|get}_data
alias.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This allows us to remove the default case in the switch, which
show help to spot missing attribute support since gcc will spot
a compilation warning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
We plan to use this library name for the higher layer library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Don't print data_type and data_len if they aren't set.
Also, they are optional when parsing.
Printing and parsing unconditionally leads to false values and other errors.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds a new API to parse rule-set expressed in XML/JSON from
a file. A new enum nft_parse_input type is added for this purpose.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The intention behind this patch is to prepare the introduction of
the new API that will allow us to parse files that contain the rule-sets
expressed in XML/JSON format. This adds the NFT_PARSE_BUFFER that
indicates that the input is provided in a buffer, which is what we
currently support.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add missing support in the API function to parse a JSON set_elem.
I've renamed the main JSON parsing function to prevent clashing.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I have added a new structure for reporting some errors in parser
that we can't cover with errno.
In this patch, we have three errors that we can't cover with errno:
NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input
NFT_PARSE_EMISSINGNODE : Missing node in our input
NFT_PARSE_EBADTYPE : Wrong type value in a node
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add new function nft_nlmsg_build_hdr which consolidates all existing
functions to build headers per object. They basically look the same.
This patch still provides aliases for consistency in the naming
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Unify parse and output types that are redundant to all
existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT]
are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML].
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now it's possible to print directly from libnftables to a file or
other stream. The caller must explicitly print the trailing '\n'
in this call.
The error reporting of fprintf (< 0) is respected. However, we have
already print some information in case that the default (plain text)
output is used, that output is mostly intended for debugging so it
should not be a problem.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by John Sager, nft_set_attr_get_u32 can cause a
segfault because nft_set_attr_get can return NULL. Check for
a non-NULL pointer before dereferencing.
This closes netfilter bugzilla #868.
[ I have mangled this patch to solve possible null pointer
dereference with get operations with rule objects --pablo ]
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove all the spaces from the JSON output to reduce the size
of the output string, this also provides a consistent output
in table, chain, rule and set.
As Stephen Hemminger suggested, better to squash the output to
consume as less bytes as possible.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds a low level ruleset API for libnftables.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Similar to (e7c068d rule: json: fix returned string length).
Based on patch from Arturo.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use 'len' instead of 'size' since we need the remaining unused bytes
in the buffer, not its total size.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This allows us to delete object from the list, note that
nft_chain_list_del already existed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch refactors nft_*_xml_parse to provide a new intermediate function
nft_mxml_parse_* which will allow us to navigate an entire XML tree
containing a ruleset without xml2text2xml conversions.
While at it, I added a helper to build the XML tree and validate the top node
name.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Add an optional/mandatory flag to XML parsing.
In some elements (ie regs), no flag is used because is always mandatory.
DATA_NONE is created to indicate a non-parsed data_reg.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch refactors nft_*_json_parse to provide a new
intermediate function nft_jansson_parse_chain which will
allows us to navigate the entire json tree containing the
ruleset.
Signed-off-by: Álvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Bug introduced by myself at 44928cd5 [set: add XML parsing]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add function for parsing set in format JSON.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Since the input string is not changing, let's make it constant.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, nft_table_xml_parse does not duplicate the string
anymore, which is what most callers seem to need. This fixes memleaks
in several places in the code. Thus, this patch also adapts the code
to duplicate it when needed.
Based on patch from Arturo Borrero.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move nft_mxml_set_elem_parse to set_elem.c to improve readability, thus,
we don't need to jump from set_elem.c to mxml.c to see how the parsing
is done.
I have also refactored some common parsing code in the new helper
function nft_mxml_set_elem_parse, that avoids conversions from XML tree
to text and then again back to tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes some XML nodes with prefixes, as the example below
ilustrates.
Before:
<rule>
<rule_flags/>
<rule_family/>
<rule>
After:
<rule>
<flags>
<family>
</rule>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use nft_mxml_family_parse() to parse the family.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Not needed anymore after constification.
Based on patch from Arturo Borrero.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
We have several char * field that were not constify to avoid
gcc compilation warnings when calling free. Since (99d2574 src:
add xfree and use it), we can fully constify these objects
fields without trouble.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds xfree, a replacement of free that accepts
const pointers. This helps to remove ugly castings that you usually
need to calm down gcc.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the version XML node and the version JSON field
in all our existing objects. The current versioning approach
consists of adding a version field to every object representation
in XML and JSON. While listing my entire rule-set, one can notice
that this approach is too bloated.
Once the library enters stable stage, if we need to obsolete a XML
node and a JSON field, we can follow this procedure:
1) Remove the XML node and the JSON field from the output, so fresh
outputs will not contain the old ones anymore.
2) Do not remove the parsing of the old XML node and the JSON field
inmediately. We have to keep supporting the parsing for a while
to avoid breaking the interpretion of old XML/JSON files. We can
spot a warning to warn about it, so users generate a fresh
output again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|