summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* src: remove default case from nft_*_attr_unsetPablo Neira Ayuso2013-07-213-29/+28
| | | | | | | | This patch removes the default case in nft_*_attr_unset, thus, the compiler will spot a warning if we add a new attribute in the future and you forget to handle it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify parameter of nft_*_is_setEric Leblond2013-07-195-5/+5
| | | | | | | | The functions nft_*_attr_is_set() is doing no modification so it is possible to type it to const. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: display position in default printfEric Leblond2013-07-191-2/+2
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add support for position attributeEric Leblond2013-07-191-0/+19
| | | | | | | | This patch adds support for position attribute which can be used to insert a rule at a given position. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: simplify getter logicPablo Neira Ayuso2013-07-1821-477/+160
| | | | | | | | This patch refactors the getter code to simplify it. The default cases have been removed so gcc will spot a warning if an attribute is not handled appropriately. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: ARP family is number 3Pablo Neira Ayuso2013-07-181-1/+1
| | | | | | | Netfilter uses family number 3 for ARP since AF_ARP does not exists. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: json: fix wrong display of table and familyÁlvaro Neira Ayuso2013-07-181-2/+2
| | | | | | | | | In (74ccff7 chain: json: use string to identify policy), the json support for chain was unintentionally swapping the table name and the family. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_add_tailPablo Neira Ayuso2013-07-165-4/+32
| | | | | | | This redefines the meaning of nft_*_list_add to prepend, before this patch it was appending, which was semantically wrong. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: json: use string to identify policyÁlvaro Neira Ayuso2013-07-161-26/+40
| | | | | | | | | * if we don't have hooknum we don't need to print the policy tag * If we have hooknum, i have used the policy2str function for printing the policy with "accept" string or "drop" string Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: json: fix incomplete outputÁlvaro Neira Ayuso2013-07-163-28/+46
| | | | | | | | | | | In (bf39c53 set: add json output), the json support for sets was incomplete: * version, family, key_type, key_len, data_type, data_len were not included. * Now I use nft_data_reg_snprintf for printing the key and data Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: fix getterPablo Neira Ayuso2013-07-151-4/+6
| | | | | | Set missing data length via getter, otherwise it returns zero. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_is_empty() functionsArturo Borrero2013-07-155-0/+28
| | | | | | | | | This functions check if a given nft_*_list is empty or not. I found this quite useful while working with a full ruleset. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nft_expr_data to replace explicit casting to obtain expression dataPablo Neira Ayuso2013-07-1316-98/+97
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: use __attribute__((constructor)) to register expressionPablo Neira Ayuso2013-07-1318-39/+89
| | | | | | Instead of manual array registration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: fix incorrect length and base in default outputEric Leblond2013-07-101-2/+2
| | | | | | | | This patch fixes an accidental swapping of the dreg and length payload fields. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: fix printing of basePablo Neira Ayuso2013-07-091-2/+16
| | | | | | | In (f95e859 src: improve default text output), it assumes all bases are network, but we may have link and transport as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: xml: export len nodeArturo Borrero2013-07-081-2/+3
| | | | | | | Fix missing length, it was not being exported in XML. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* set: add xml outputArturo Borrero2013-07-063-3/+106
| | | | | | | This patch adds XML output for sets. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: consolidate parsing of data_reg via nft_mxml_data_reg_parseArturo Borrero2013-07-065-80/+74
| | | | | | | | Move common code for XML parsing of data_reg to the new nft_mxml_data_reg_parse function. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add json outputÁlvaro Neira Ayuso2013-07-062-4/+103
| | | | | | | This patch allows you to dump set and their content in json format. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix printing of key and data registersPablo Neira Ayuso2013-07-061-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expr: data_reg: fix printing data register contentPablo Neira Ayuso2013-07-052-6/+6
| | | | | | | | | | | | | | | | | Before: ip filter output 41 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 ] Now: ip filter output 41 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] ^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: improve default text outputGiuseppe Longo2013-07-0521-59/+86
| | | | | | | | | | | | | This patch improves default plain text output by mimicing the default output of libnl-nft. While at it, several %lu has been translated to use %"PRIu64" for correctness. [ I have added the policy to string translation --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: fix compilation without XML parsing enabledPablo Neira Ayuso2013-07-042-0/+6
| | | | | | | | Since (d844fa0 src: consolidate XML parsing of expressions via nft_mxml_expr_parse), the library was not compiling with XML support anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate XML parsing of expressions via nft_mxml_reg_parsePablo Neira Ayuso2013-07-0411-202/+102
| | | | This patch reduces the XML code in 100 LOC.
* src: consolidate XML parsing of expressions via nft_mxml_expr_parsePablo Neira Ayuso2013-07-0420-431/+130
| | | | | | | | | Move common code for XML parsing of expressions to the new nft_mxml_expr_parse function. This patch reduces the XML parsing code in 300 LOC. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: ct: fix setting of NFT_EXPR_CT_DIRArturo Borrero Gonzalez2013-07-041-1/+1
| | | | | Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support JSON format in chain, rule and expressionsÁlvaro Neira Ayuso2013-06-2920-42/+401
| | | | | | | While at it, order possible switch cases of _snprintf. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: rename type node to exthdr_typeArturo Borrero Gonzalez2013-06-271-3/+5
| | | | | | | This patch renames the <type> node in the exthdr expr to <exthdr_type>. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: rename node type to nat_typeArturo Borrero Gonzalez2013-06-271-4/+4
| | | | | | | | | This patch renames the node <type> to a more explicit <nat_type>. This will prevent in the future from confusing other <type> nodes from other exprs. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: snprintf: fix buffer offsetArturo Borrero Gonzalez2013-06-271-3/+3
| | | | | | | This patch fix the buffer offset necesary to print correctly the nat expr in a default output mode. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: xml: use string to represent key attributeArturo Borrero Gonzalez2013-06-271-5/+49
| | | | | | | Use a string for <key> node instead of a number. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: use string for type nodeArturo Borrero Gonzalez2013-06-271-5/+47
| | | | | | | This patch implements using a string for the <type> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: xml: use string for base attributeArturo Borrero Gonzalez2013-06-271-9/+46
| | | | | | | This patch implements using a string instead of a number for the <base> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* target&match: xml: don't print rev numberArturo Borrero Gonzalez2013-06-272-36/+2
| | | | | | | | The <rev> node is not printed/parsed anymore. It should not be exported, this is negotiated with the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: xml: display register in big endianArturo Borrero Gonzalez2013-06-271-3/+5
| | | | | | | | | | Display registers in big endian, so the output will be the same in different endianness CPU. <data>0xaabbccdd</data> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: xml: fix len node, it should show byte lengthArturo Borrero Gonzalez2013-06-271-7/+6
| | | | | | | | Previous to this patch, the <len> node was 'how many <dataN> nodes we have'. However, the <len> node means 'how many bytes are in <dataN> nodes'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: xml: use string for policyArturo Borrero Gonzalez2013-06-271-16/+35
| | | | | | | Now the <policy> node is using "accept" or "drop". Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: fix mandatory elementsArturo Borrero Gonzalez2013-06-271-40/+55
| | | | | | | | | | | | | | | | According to net/netfilter/nft_exthdr.c: nft_exthdr_init(), all of dreg, type, offset and len are mandatory: if (tb[NFTA_EXTHDR_DREG] == NULL || tb[NFTA_EXTHDR_TYPE] == NULL || tb[NFTA_EXTHDR_OFFSET] == NULL || tb[NFTA_EXTHDR_LEN] == NULL) return -EINVAL; So the XML parser must make sure the equivalent nodes exists. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: xml: use key names instead of numbersArturo Borrero Gonzalez2013-06-271-7/+48
| | | | | | | ct expr uses a string instead of a numerical one in the <key> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: xml: add extra dir checkArturo Borrero Gonzalez2013-06-271-0/+6
| | | | | | | | | | | | | This patch adds an extra dir check. 0 means original. 1 means a reply. Pablo decided not to include nf_conntrack_tuple_common.h, instead internally defined them. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: fix node names for sreg_addr_{min|max}Arturo Borrero Gonzalez2013-06-271-6/+6
| | | | | | | | | This patch changes the name of XML nodes from <sreg_addr_min_v4> to <sreg_addr_min>, and <sreg_addr_max_v4> to <sreg_addr_max>, as they are register numbers, not addresses, so they are protocol independent. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: change nat types string to dnat/snatArturo Borrero Gonzalez2013-06-271-14/+11
| | | | | | | | This patch replaces the string NFT_NAT_{S|D}NAT with {s|d}nat in the <type> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: convert family values to stringArturo Borrero2013-06-277-40/+93
| | | | | | | | | | | | This patch translates family values to display a string: * ip if AF_INET * ip6 if AF_INET6 * bridge if AF_BRIDGE * arp if 0 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add hooknum2strArturo Borrero Gonzalez2013-06-271-9/+27
| | | | | | | | | This patch translates the Netfilter hooknumber to a readable string. Useful for printing and parsing in XML and JSON formats. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* byteorder: xml: op as stringArturo Borrero2013-06-271-7/+16
| | | | | | This patch changes the numerical value of the XML byteorder's <op> node to a string representation. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* expr: xml: registers must be <= NFT_REG_MAXArturo Borrero Gonzalez2013-06-279-0/+54
| | | | | | | With this patch, all expressions validate that registers are <= NFT_REG_MAX. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: xml: mask and xor use same number of data registersArturo Borrero Gonzalez2013-06-271-0/+8
| | | | | | | The mask and xor must use the same number of data registers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: xml: conditional display of compat infoArturo Borrero Gonzalez2013-06-271-29/+30
| | | | | | | | The compat XML info is now conditional both when printing and parsing. It is only used by iptables-nftables. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add nft_set_elem_attr_set_strPablo Neira Ayuso2013-06-211-0/+6
| | | | | | | It was not implemented, it was defined in the header anf map files though. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>