| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
nft_str2hooknum() should return -1 if no hooknum was found.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add function for parsing chains in format JSON.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
I have removed the properties node from chain because it's a node without relevant information
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
I have removed the properties node from table because
it provides no relevant information.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add a helper function that parses and returns the jansson
tree, use it in the table parser.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use nft_verdict2str function instead.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the version XML node and the version JSON field
in all our existing objects. The current versioning approach
consists of adding a version field to every object representation
in XML and JSON. While listing my entire rule-set, one can notice
that this approach is too bloated.
Once the library enters stable stage, if we need to obsolete a XML
node and a JSON field, we can follow this procedure:
1) Remove the XML node and the JSON field from the output, so fresh
outputs will not contain the old ones anymore.
2) Do not remove the parsing of the old XML node and the JSON field
inmediately. We have to keep supporting the parsing for a while
to avoid breaking the interpretion of old XML/JSON files. We can
spot a warning to warn about it, so users generate a fresh
output again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sets are now parsed, following this previous snprintf pattern:
<set>
<set_name>string</set_name>
<set_table>table</set_table>
<set_xml_version>int</set_xml_version>
<set_flags>uint32_t</set_flags>
<key_type>uint32_t</key_type>
<key_len>size_t</key_len>
<data_type>uint32_t</data_type>
<data_len>size_t</data_len>
<set_elem>
<set_elem_flags>uint32_t</set_elem_flags>
<set_elem_key>
<data_reg type="value">
<len></len>
<dataN></dataN>
</data_reg>
</set_elem_key>
<set_elem_data>
<data_reg type="xx">
[...]
</data_reg>
</set_elem_data>
</set_elem>
</set>
Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes all XML attributes to XML nodes in nft_set.
In order to avoid issues regarding XML nodes with the same name but
different meanings, I've followed this pattern for the new elements:
<set>
<set_table>string</set_table>
<set_name>string</set_name>
[...]
</set>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Instead of returning ERANGE all the time, let functions set
errno accordingly and set EINVAL otherwise.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add function for parsing tables in format JSON
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
<immdata> should be <immediatedata> instead.
This bug was introduced at (1e8e5d4 src: xml: consolidate parsing of
data_reg via nft_mxml_data_reg_parse).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add verdict2str() and str2verdict() helper functions and use in XML.
While at it, I've fixed a small style issue in the data_reg JSON output and
a bug in the data_reg XML parser: The parser walked the top level tree,
instead of single <data_reg> node. Introduced in (51370f0 src: add support
for XML parsing).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
That function already sets errno for us.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Otherwise, the string points to an invalid memory position
somewhere in the XML tree that is released after the parsing.
This problem was there before the conversion to the new helper
function nft_mxml_str_parse.
Reported-by: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Replace existing code to use this function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Replace existing code to use this function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch moves common XML string parsing code to nft_mxml_str_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Put this code on a diet by using the new helper function nft_mxml_num_parse.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch moves common XML parsing code to nft_mxml_num_parse().
To handle this, the nft_strtoi() helper fuction is included.
I've changed some MXML_DESCEND[_FIRST] flags to avoid match a nested node under
some circumstances, ie, matching two nodes with the same name that are descendant.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Merge common checking for attribute set in nft_rule_expr_get.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch removes the default case in nft_*_attr_unset, thus, the
compiler will spot a warning if we add a new attribute in the future
and you forget to handle it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The functions nft_*_attr_is_set() is doing no modification
so it is possible to type it to const.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for position attribute which can be used
to insert a rule at a given position.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch refactors the getter code to simplify it. The default
cases have been removed so gcc will spot a warning if an attribute
is not handled appropriately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Netfilter uses family number 3 for ARP since AF_ARP does not
exists.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
In (74ccff7 chain: json: use string to identify policy), the
json support for chain was unintentionally swapping the table
name and the family.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This redefines the meaning of nft_*_list_add to prepend, before this
patch it was appending, which was semantically wrong.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
* if we don't have hooknum we don't need to print the policy tag
* If we have hooknum, i have used the policy2str function for printing the policy with
"accept" string or "drop" string
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
In (bf39c53 set: add json output), the json support for sets was
incomplete:
* version, family, key_type, key_len, data_type, data_len were not included.
* Now I use nft_data_reg_snprintf for printing the key and data
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Set missing data length via getter, otherwise it returns zero.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This functions check if a given nft_*_list is empty or not.
I found this quite useful while working with a full ruleset.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Instead of manual array registration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes an accidental swapping of the dreg and length
payload fields.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
In (f95e859 src: improve default text output), it assumes all bases
are network, but we may have link and transport as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Fix missing length, it was not being exported in XML.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
| |
|
|
|
|
|
| |
This patch adds XML output for sets.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Move common code for XML parsing of data_reg to the new
nft_mxml_data_reg_parse function.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch allows you to dump set and their content in json format.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
ip filter output 41
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 ]
Now:
ip filter output 41
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch improves default plain text output by mimicing the
default output of libnl-nft.
While at it, several %lu has been translated to use %"PRIu64"
for correctness.
[ I have added the policy to string translation --pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since (d844fa0 src: consolidate XML parsing of expressions via
nft_mxml_expr_parse), the library was not compiling with XML support
anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
This patch reduces the XML code in 100 LOC.
|
| |
|
|
|
|
|
|
|
| |
Move common code for XML parsing of expressions to the new
nft_mxml_expr_parse function.
This patch reduces the XML parsing code in 300 LOC.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
