diff options
Diffstat (limited to 'src/parser_json.c')
-rw-r--r-- | src/parser_json.c | 906 |
1 files changed, 683 insertions, 223 deletions
diff --git a/src/parser_json.c b/src/parser_json.c index ddbf9d9c..bbe3b1c5 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -1,7 +1,14 @@ -#define _GNU_SOURCE +/* + * Copyright (c) Red Hat GmbH. Author: Phil Sutter <phil@nwl.cc> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 (or any + * later) as published by the Free Software Foundation. + */ + +#include <nft.h> + #include <errno.h> -#include <stdint.h> /* needed by gmputil.h */ -#include <string.h> #include <syslog.h> #include <erec.h> @@ -11,6 +18,7 @@ #include <netlink.h> #include <parser.h> #include <rule.h> +#include <sctp_chunk.h> #include <socket.h> #include <netdb.h> @@ -43,7 +51,6 @@ #define CTX_F_CONCAT (1 << 8) /* inside concat_expr */ struct json_ctx { - struct input_descriptor indesc; struct nft_ctx *nft; struct list_head *msgs; struct list_head *cmds; @@ -106,11 +113,12 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root); /* parsing helpers */ const struct location *int_loc = &internal_location; +static struct input_descriptor json_indesc; static void json_lib_error(struct json_ctx *ctx, json_error_t *err) { struct location loc = { - .indesc = &ctx->indesc, + .indesc = &json_indesc, .line_offset = err->position - err->column, .first_line = err->line, .last_line = err->line, @@ -173,8 +181,11 @@ static int json_unpack_stmt(struct json_ctx *ctx, json_t *root, assert(value); if (json_object_size(root) != 1) { + const char *dump = json_dumps(root, 0); + json_error(ctx, "Malformed object (too many properties): '%s'.", - json_dumps(root, 0)); + dump); + free_const(dump); return 1; } @@ -314,15 +325,6 @@ static struct expr *json_parse_constant(struct json_ctx *ctx, const char *name) return NULL; } -static struct expr *wildcard_expr_alloc(void) -{ - struct expr *expr; - - expr = constant_expr_alloc(int_loc, &integer_type, - BYTEORDER_HOST_ENDIAN, 0, NULL); - return prefix_expr_alloc(int_loc, expr, 0); -} - /* this is a combination of symbol_expr, integer_expr, boolean_expr ... */ static struct expr *json_parse_immediate(struct json_ctx *ctx, json_t *root) { @@ -337,7 +339,7 @@ static struct expr *json_parse_immediate(struct json_ctx *ctx, json_t *root) symtype = SYMBOL_SET; str++; } else if (str[0] == '*' && str[1] == '\0') { - return wildcard_expr_alloc(); + return set_elem_catchall_expr_alloc(int_loc); } else if (is_keyword(str)) { return symbol_expr_alloc(int_loc, SYMBOL_VALUE, NULL, str); @@ -435,7 +437,7 @@ static struct expr *json_parse_socket_expr(struct json_ctx *ctx, return NULL; } - return socket_expr_alloc(int_loc, keyval); + return socket_expr_alloc(int_loc, keyval, 0); } static int json_parse_payload_field(const struct proto_desc *desc, @@ -541,6 +543,27 @@ static const struct proto_desc *proto_lookup_byname(const char *name) &proto_dccp, &proto_sctp, &proto_th, + &proto_vxlan, + &proto_gre, + &proto_gretap, + &proto_geneve, + }; + unsigned int i; + + for (i = 0; i < array_size(proto_tbl); i++) { + if (!strcmp(proto_tbl[i]->name, name)) + return proto_tbl[i]; + } + return NULL; +} + +static const struct proto_desc *inner_proto_lookup_byname(const char *name) +{ + const struct proto_desc *proto_tbl[] = { + &proto_geneve, + &proto_gre, + &proto_gretap, + &proto_vxlan, }; unsigned int i; @@ -554,7 +577,7 @@ static const struct proto_desc *proto_lookup_byname(const char *name) static struct expr *json_parse_payload_expr(struct json_ctx *ctx, const char *type, json_t *root) { - const char *protocol, *field, *base; + const char *tunnel, *protocol, *field, *base; int offset, len, val; struct expr *expr; @@ -566,15 +589,51 @@ static struct expr *json_parse_payload_expr(struct json_ctx *ctx, val = PROTO_BASE_NETWORK_HDR; } else if (!strcmp(base, "th")) { val = PROTO_BASE_TRANSPORT_HDR; + } else if (!strcmp(base, "ih")) { + val = PROTO_BASE_INNER_HDR; } else { json_error(ctx, "Invalid payload base '%s'.", base); return NULL; } + + if (len <= 0 || len > (int)NFT_MAX_EXPR_LEN_BITS) { + json_error(ctx, "Payload length must be between 0 and %lu, got %d", + NFT_MAX_EXPR_LEN_BITS, len); + return NULL; + } + expr = payload_expr_alloc(int_loc, NULL, 0); payload_init_raw(expr, val, offset, len); expr->byteorder = BYTEORDER_BIG_ENDIAN; expr->payload.is_raw = true; return expr; + } else if (!json_unpack(root, "{s:s, s:s, s:s}", + "tunnel", &tunnel, "protocol", &protocol, "field", &field)) { + const struct proto_desc *proto = proto_lookup_byname(protocol); + const struct proto_desc *inner_proto = inner_proto_lookup_byname(tunnel); + + if (!inner_proto) { + json_error(ctx, "Unknown payload tunnel protocol '%s'.", + tunnel); + return NULL; + } + if (!proto) { + json_error(ctx, "Unknown payload protocol '%s'.", + protocol); + return NULL; + } + if (json_parse_payload_field(proto, field, &val)) { + json_error(ctx, "Unknown %s field '%s'.", + protocol, field); + return NULL; + } + expr = payload_expr_alloc(int_loc, proto, val); + expr->payload.inner_desc = inner_proto; + + if (proto == &proto_th) + expr->payload.is_raw = true; + + return expr; } else if (!json_unpack(root, "{s:s, s:s}", "protocol", &protocol, "field", &field)) { const struct proto_desc *proto = proto_lookup_byname(protocol); @@ -608,15 +667,21 @@ static struct expr *json_parse_tcp_option_expr(struct json_ctx *ctx, struct expr *expr; if (!json_unpack(root, "{s:i, s:i, s:i}", - "base", &kind, "offset", &offset, "len", &len)) { + "base", &kind, "offset", &offset, "len", &len)) { uint32_t flag = 0; - expr = tcpopt_expr_alloc(int_loc, kind, - TCPOPT_COMMON_KIND); - if (kind < 0 || kind > 255) return NULL; + if (len < 0 || len > (int)NFT_MAX_EXPR_LEN_BITS) { + json_error(ctx, "option length must be between 0 and %lu, got %d", + NFT_MAX_EXPR_LEN_BITS, len); + return NULL; + } + + expr = tcpopt_expr_alloc(int_loc, kind, + TCPOPT_COMMON_KIND); + if (offset == TCPOPT_COMMON_KIND && len == 8) flag = NFT_EXTHDR_F_PRESENT; @@ -679,7 +744,7 @@ static int json_parse_ip_option_field(int type, const char *name, int *val) } static struct expr *json_parse_ip_option_expr(struct json_ctx *ctx, - const char *type, json_t *root) + const char *type, json_t *root) { const char *desc, *field; int descval, fieldval; @@ -695,7 +760,7 @@ static struct expr *json_parse_ip_option_expr(struct json_ctx *ctx, if (json_unpack(root, "{s:s}", "field", &field)) { expr = ipopt_expr_alloc(int_loc, descval, - IPOPT_FIELD_TYPE, 0); + IPOPT_FIELD_TYPE); expr->exthdr.flags = NFT_EXTHDR_F_PRESENT; return expr; @@ -704,7 +769,70 @@ static struct expr *json_parse_ip_option_expr(struct json_ctx *ctx, json_error(ctx, "Unknown ip option field '%s'.", field); return NULL; } - return ipopt_expr_alloc(int_loc, descval, fieldval, 0); + return ipopt_expr_alloc(int_loc, descval, fieldval); +} + +static int json_parse_sctp_chunk_field(const struct exthdr_desc *desc, + const char *name, int *val) +{ + unsigned int i; + + for (i = 0; i < array_size(desc->templates); i++) { + if (desc->templates[i].token && + !strcmp(desc->templates[i].token, name)) { + if (val) + *val = i; + return 0; + } + } + return 1; +} + +static struct expr *json_parse_sctp_chunk_expr(struct json_ctx *ctx, + const char *type, json_t *root) +{ + const struct exthdr_desc *desc; + const char *name, *field; + struct expr *expr; + int fieldval; + + if (json_unpack_err(ctx, root, "{s:s}", "name", &name)) + return NULL; + + desc = sctp_chunk_protocol_find(name); + if (!desc) { + json_error(ctx, "Unknown sctp chunk name '%s'.", name); + return NULL; + } + + if (json_unpack(root, "{s:s}", "field", &field)) { + expr = sctp_chunk_expr_alloc(int_loc, desc->type, + SCTP_CHUNK_COMMON_TYPE); + expr->exthdr.flags = NFT_EXTHDR_F_PRESENT; + + return expr; + } + if (json_parse_sctp_chunk_field(desc, field, &fieldval)) { + json_error(ctx, "Unknown sctp chunk field '%s'.", field); + return NULL; + } + return sctp_chunk_expr_alloc(int_loc, desc->type, fieldval); +} + +static struct expr *json_parse_dccp_option_expr(struct json_ctx *ctx, + const char *type, json_t *root) +{ + int opt_type; + + if (json_unpack_err(ctx, root, "{s:i}", "type", &opt_type)) + return NULL; + + if (opt_type < DCCPOPT_TYPE_MIN || opt_type > DCCPOPT_TYPE_MAX) { + json_error(ctx, "Unknown dccp option type '%d'.", opt_type); + return NULL; + } + + return dccpopt_expr_alloc(int_loc, opt_type); } static const struct exthdr_desc *exthdr_lookup_byname(const char *name) @@ -1035,13 +1163,13 @@ static struct expr *json_parse_fib_expr(struct json_ctx *ctx, } if ((flagval & (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) == - (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) { + (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) { json_error(ctx, "fib: saddr and daddr are mutually exclusive"); return NULL; } if ((flagval & (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) == - (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) { + (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) { json_error(ctx, "fib: iif and oif are mutually exclusive"); return NULL; } @@ -1079,6 +1207,18 @@ static struct expr *json_parse_binop_expr(struct json_ctx *ctx, return NULL; } + if (json_array_size(root) > 2) { + left = json_parse_primary_expr(ctx, json_array_get(root, 0)); + right = json_parse_primary_expr(ctx, json_array_get(root, 1)); + left = binop_expr_alloc(int_loc, thisop, left, right); + for (i = 2; i < json_array_size(root); i++) { + jright = json_array_get(root, i); + right = json_parse_primary_expr(ctx, jright); + left = binop_expr_alloc(int_loc, thisop, left, right); + } + return left; + } + if (json_unpack_err(ctx, root, "[o, o!]", &jleft, &jright)) return NULL; @@ -1087,7 +1227,7 @@ static struct expr *json_parse_binop_expr(struct json_ctx *ctx, json_error(ctx, "Failed to parse LHS of binop expression."); return NULL; } - right = json_parse_primary_expr(ctx, jright); + right = json_parse_rhs_expr(ctx, jright); if (!right) { json_error(ctx, "Failed to parse RHS of binop expression."); expr_free(left); @@ -1168,6 +1308,7 @@ static struct expr *json_parse_range_expr(struct json_ctx *ctx, expr_high = json_parse_primary_expr(ctx, high); if (!expr_high) { json_error(ctx, "Invalid high value in range expression."); + expr_free(expr_low); return NULL; } return range_expr_alloc(int_loc, expr_low, expr_high); @@ -1412,6 +1553,8 @@ static struct expr *json_parse_expr(struct json_ctx *ctx, json_t *root) { "exthdr", json_parse_exthdr_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, { "tcp option", json_parse_tcp_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT }, { "ip option", json_parse_ip_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT }, + { "sctp chunk", json_parse_sctp_chunk_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT }, + { "dccp option", json_parse_dccp_option_expr, CTX_F_PRIMARY }, { "meta", json_parse_meta_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, { "osf", json_parse_osf_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT }, { "ipsec", json_parse_xfrm_expr, CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT }, @@ -1610,13 +1753,18 @@ static struct stmt *json_parse_match_stmt(struct json_ctx *ctx, !strcmp(opstr, expr_op_symbols[op])) break; } - if (op == __OP_MAX) { + switch (op) { + case OP_EQ ... OP_NEG: + break; + case __OP_MAX: if (!strcmp(opstr, "in")) { op = OP_IMPLICIT; - } else { - json_error(ctx, "Unknown relational op '%s'.", opstr); - return NULL; + break; } + /* fall through */ + default: + json_error(ctx, "Invalid relational op '%s'.", opstr); + return NULL; } left = json_parse_expr(ctx, jleft); @@ -1636,7 +1784,7 @@ static struct stmt *json_parse_match_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_counter_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { uint64_t packets, bytes; struct stmt *stmt; @@ -1645,8 +1793,8 @@ static struct stmt *json_parse_counter_stmt(struct json_ctx *ctx, return counter_stmt_alloc(int_loc); if (!json_unpack(value, "{s:I, s:I}", - "packets", &packets, - "bytes", &bytes)) { + "packets", &packets, + "bytes", &bytes)) { stmt = counter_stmt_alloc(int_loc); stmt->counter.packets = packets; stmt->counter.bytes = bytes; @@ -1664,6 +1812,27 @@ static struct stmt *json_parse_counter_stmt(struct json_ctx *ctx, return stmt; } +static struct stmt *json_parse_last_stmt(struct json_ctx *ctx, + const char *key, json_t *value) +{ + struct stmt *stmt; + int64_t used; + + if (json_is_null(value)) + return last_stmt_alloc(int_loc); + + if (!json_unpack(value, "{s:I}", "used", &used)) { + stmt = last_stmt_alloc(int_loc); + if (used != -1) { + stmt->last.used = used; + stmt->last.set = 1; + } + return stmt; + } + + return NULL; +} + static struct stmt *json_parse_verdict_stmt(struct json_ctx *ctx, const char *key, json_t *value) { @@ -1677,14 +1846,14 @@ static struct stmt *json_parse_verdict_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_mangle_stmt(struct json_ctx *ctx, - const char *type, json_t *root) + const char *type, json_t *root) { json_t *jkey, *jvalue; struct expr *key, *value; struct stmt *stmt; if (json_unpack_err(ctx, root, "{s:o, s:o}", - "key", &jkey, "value", &jvalue)) + "key", &jkey, "value", &jvalue)) return NULL; key = json_parse_mangle_lhs_expr(ctx, jkey); @@ -1721,6 +1890,8 @@ static struct stmt *json_parse_mangle_stmt(struct json_ctx *ctx, return stmt; default: json_error(ctx, "Invalid mangle statement key expression type."); + expr_free(key); + expr_free(value); return NULL; } } @@ -1737,7 +1908,7 @@ static uint64_t rate_to_bytes(uint64_t val, const char *unit) } static struct stmt *json_parse_quota_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { struct stmt *stmt; int inv = 0; @@ -1784,7 +1955,7 @@ static struct stmt *json_parse_limit_stmt(struct json_ctx *ctx, const char *key, json_t *value) { struct stmt *stmt; - uint64_t rate, burst = 5; + uint64_t rate, burst = 0; const char *rate_unit = "packets", *time, *burst_unit = "bytes"; int inv = 0; @@ -1798,6 +1969,9 @@ static struct stmt *json_parse_limit_stmt(struct json_ctx *ctx, stmt = limit_stmt_alloc(int_loc); if (!strcmp(rate_unit, "packets")) { + if (burst == 0) + burst = 5; + stmt->limit.type = NFT_LIMIT_PKTS; stmt->limit.rate = rate; stmt->limit.burst = burst; @@ -1861,8 +2035,30 @@ out_err: return NULL; } +static struct stmt *json_parse_flow_offload_stmt(struct json_ctx *ctx, + const char *key, json_t *value) +{ + const char *opstr, *flowtable; + + if (json_unpack_err(ctx, value, "{s:s, s:s}", + "op", &opstr, "flowtable", &flowtable)) + return NULL; + + if (strcmp(opstr, "add")) { + json_error(ctx, "Unknown flow offload statement op '%s'.", opstr); + return NULL; + } + + if (flowtable[0] != '@') { + json_error(ctx, "Illegal flowtable reference in flow offload statement."); + return NULL; + } + + return flow_offload_stmt_alloc(int_loc, xstrdup(flowtable + 1)); +} + static struct stmt *json_parse_notrack_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { return notrack_stmt_alloc(int_loc); } @@ -1899,6 +2095,23 @@ static struct stmt *json_parse_dup_stmt(struct json_ctx *ctx, return stmt; } +static struct stmt *json_parse_secmark_stmt(struct json_ctx *ctx, + const char *key, json_t *value) +{ + struct stmt *stmt; + + stmt = objref_stmt_alloc(int_loc); + stmt->objref.type = NFT_OBJECT_SECMARK; + stmt->objref.expr = json_parse_stmt_expr(ctx, value); + if (!stmt->objref.expr) { + json_error(ctx, "Invalid secmark reference."); + stmt_free(stmt); + return NULL; + } + + return stmt; +} + static int json_parse_nat_flag(struct json_ctx *ctx, json_t *root, int *flags) { @@ -1955,7 +2168,7 @@ static int json_parse_nat_flags(struct json_ctx *ctx, json_t *root) } static int json_parse_nat_type_flag(struct json_ctx *ctx, - json_t *root, int *flags) + json_t *root, int *flags) { const struct { const char *flag; @@ -2070,7 +2283,6 @@ static struct stmt *json_parse_nat_stmt(struct json_ctx *ctx, } stmt->nat.flags = flags; } - if (!json_unpack(value, "{s:o}", "type_flags", &tmp)) { int flags = json_parse_nat_type_flags(ctx, tmp); @@ -2085,7 +2297,7 @@ static struct stmt *json_parse_nat_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_tproxy_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { json_t *jaddr, *tmp; struct stmt *stmt; @@ -2121,7 +2333,7 @@ out_free: } static struct stmt *json_parse_reject_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { struct stmt *stmt = reject_stmt_alloc(int_loc); const struct datatype *dtype = NULL; @@ -2137,17 +2349,17 @@ static struct stmt *json_parse_reject_stmt(struct json_ctx *ctx, stmt->reject.icmp_code = 0; } else if (!strcmp(type, "icmpx")) { stmt->reject.type = NFT_REJECT_ICMPX_UNREACH; - dtype = &icmpx_code_type; + dtype = &reject_icmpx_code_type; stmt->reject.icmp_code = 0; } else if (!strcmp(type, "icmp")) { stmt->reject.type = NFT_REJECT_ICMP_UNREACH; stmt->reject.family = NFPROTO_IPV4; - dtype = &icmp_code_type; + dtype = &reject_icmp_code_type; stmt->reject.icmp_code = 0; } else if (!strcmp(type, "icmpv6")) { stmt->reject.type = NFT_REJECT_ICMP_UNREACH; stmt->reject.family = NFPROTO_IPV6; - dtype = &icmpv6_code_type; + dtype = &reject_icmpv6_code_type; stmt->reject.icmp_code = 0; } } @@ -2163,13 +2375,41 @@ static struct stmt *json_parse_reject_stmt(struct json_ctx *ctx, return stmt; } +static void json_parse_set_stmt_list(struct json_ctx *ctx, + struct list_head *stmt_list, + json_t *stmt_json) +{ + struct list_head *head; + struct stmt *stmt; + json_t *value; + size_t index; + + if (!stmt_json) + return; + + if (!json_is_array(stmt_json)) + json_error(ctx, "Unexpected object type in stmt"); + + head = stmt_list; + json_array_foreach(stmt_json, index, value) { + stmt = json_parse_stmt(ctx, value); + if (!stmt) { + json_error(ctx, "Parsing set statements array at index %zd failed.", index); + stmt_list_free(stmt_list); + return; + } + list_add(&stmt->list, head); + head = &stmt->list; + } +} + static struct stmt *json_parse_set_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { const char *opstr, *set; struct expr *expr, *expr2; + json_t *elem, *stmt_json; struct stmt *stmt; - json_t *elem; int op; if (json_unpack_err(ctx, value, "{s:s, s:o, s:s}", @@ -2204,6 +2444,67 @@ static struct stmt *json_parse_set_stmt(struct json_ctx *ctx, stmt->set.op = op; stmt->set.key = expr; stmt->set.set = expr2; + + if (!json_unpack(value, "{s:o}", "stmt", &stmt_json)) + json_parse_set_stmt_list(ctx, &stmt->set.stmt_list, stmt_json); + + return stmt; +} + +static struct stmt *json_parse_map_stmt(struct json_ctx *ctx, + const char *key, json_t *value) +{ + struct expr *expr, *expr2, *expr_data; + json_t *elem, *data, *stmt_json; + const char *opstr, *set; + struct stmt *stmt; + int op; + + if (json_unpack_err(ctx, value, "{s:s, s:o, s:o, s:s}", + "op", &opstr, "elem", &elem, "data", &data, "map", &set)) + return NULL; + + if (!strcmp(opstr, "add")) { + op = NFT_DYNSET_OP_ADD; + } else if (!strcmp(opstr, "update")) { + op = NFT_DYNSET_OP_UPDATE; + } else if (!strcmp(opstr, "delete")) { + op = NFT_DYNSET_OP_DELETE; + } else { + json_error(ctx, "Unknown map statement op '%s'.", opstr); + return NULL; + } + + expr = json_parse_set_elem_expr_stmt(ctx, elem); + if (!expr) { + json_error(ctx, "Illegal map statement element."); + return NULL; + } + + expr_data = json_parse_set_elem_expr_stmt(ctx, data); + if (!expr_data) { + json_error(ctx, "Illegal map expression data."); + expr_free(expr); + return NULL; + } + + if (set[0] != '@') { + json_error(ctx, "Illegal map reference in map statement."); + expr_free(expr); + expr_free(expr_data); + return NULL; + } + expr2 = symbol_expr_alloc(int_loc, SYMBOL_SET, NULL, set + 1); + + stmt = map_stmt_alloc(int_loc); + stmt->map.op = op; + stmt->map.key = expr; + stmt->map.data = expr_data; + stmt->map.set = expr2; + + if (!json_unpack(value, "{s:o}", "stmt", &stmt_json)) + json_parse_set_stmt_list(ctx, &stmt->set.stmt_list, stmt_json); + return stmt; } @@ -2275,9 +2576,7 @@ static struct stmt *json_parse_log_stmt(struct json_ctx *ctx, stmt = log_stmt_alloc(int_loc); if (!json_unpack(value, "{s:s}", "prefix", &tmpstr)) { - stmt->log.prefix = constant_expr_alloc(int_loc, &string_type, - BYTEORDER_HOST_ENDIAN, - (strlen(tmpstr) + 1) * BITS_PER_BYTE, tmpstr); + stmt->log.prefix = xstrdup(tmpstr); stmt->log.flags |= STMT_LOG_PREFIX; } if (!json_unpack(value, "{s:i}", "group", &tmp)) { @@ -2443,7 +2742,7 @@ static struct stmt *json_parse_cthelper_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_cttimeout_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { struct stmt *stmt = objref_stmt_alloc(int_loc); @@ -2478,7 +2777,7 @@ static struct stmt *json_parse_meter_stmt(struct json_ctx *ctx, json_t *jkey, *jstmt; struct stmt *stmt; const char *name; - uint32_t size = 0xffff; + uint32_t size = 0; if (json_unpack_err(ctx, value, "{s:s, s:o, s:o}", "name", &name, "key", &jkey, "stmt", &jstmt)) @@ -2519,14 +2818,14 @@ static int queue_flag_parse(const char *name, uint16_t *flags) static struct stmt *json_parse_queue_stmt(struct json_ctx *ctx, const char *key, json_t *value) { - struct stmt *stmt = queue_stmt_alloc(int_loc); + struct expr *qexpr = NULL; + uint16_t flags = 0; json_t *tmp; if (!json_unpack(value, "{s:o}", "num", &tmp)) { - stmt->queue.queue = json_parse_stmt_expr(ctx, tmp); - if (!stmt->queue.queue) { + qexpr = json_parse_stmt_expr(ctx, tmp); + if (!qexpr) { json_error(ctx, "Invalid queue num."); - stmt_free(stmt); return NULL; } } @@ -2538,15 +2837,15 @@ static struct stmt *json_parse_queue_stmt(struct json_ctx *ctx, if (json_is_string(tmp)) { flag = json_string_value(tmp); - if (queue_flag_parse(flag, &stmt->queue.flags)) { + if (queue_flag_parse(flag, &flags)) { json_error(ctx, "Invalid queue flag '%s'.", flag); - stmt_free(stmt); + expr_free(qexpr); return NULL; } } else if (!json_is_array(tmp)) { json_error(ctx, "Unexpected object type in queue flags."); - stmt_free(stmt); + expr_free(qexpr); return NULL; } @@ -2554,20 +2853,20 @@ static struct stmt *json_parse_queue_stmt(struct json_ctx *ctx, if (!json_is_string(val)) { json_error(ctx, "Invalid object in queue flag array at index %zu.", index); - stmt_free(stmt); + expr_free(qexpr); return NULL; } flag = json_string_value(val); - if (queue_flag_parse(flag, &stmt->queue.flags)) { + if (queue_flag_parse(flag, &flags)) { json_error(ctx, "Invalid queue flag '%s'.", flag); - stmt_free(stmt); + expr_free(qexpr); return NULL; } } } - return stmt; + return queue_stmt_alloc(int_loc, qexpr, flags); } static struct stmt *json_parse_connlimit_stmt(struct json_ctx *ctx, @@ -2588,6 +2887,22 @@ static struct stmt *json_parse_connlimit_stmt(struct json_ctx *ctx, return stmt; } +static struct stmt *json_parse_optstrip_stmt(struct json_ctx *ctx, + const char *key, json_t *value) +{ + struct expr *expr = json_parse_expr(ctx, value); + + if (!expr || + expr->etype != EXPR_EXTHDR || + expr->exthdr.op != NFT_EXTHDR_OP_TCPOPT) { + json_error(ctx, "Illegal TCP optstrip argument"); + expr_free(expr); + return NULL; + } + + return optstrip_stmt_alloc(int_loc, expr); +} + static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) { struct { @@ -2604,7 +2919,9 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) { "counter", json_parse_counter_stmt }, { "mangle", json_parse_mangle_stmt }, { "quota", json_parse_quota_stmt }, + { "last", json_parse_last_stmt }, { "limit", json_parse_limit_stmt }, + { "flow", json_parse_flow_offload_stmt }, { "fwd", json_parse_fwd_stmt }, { "notrack", json_parse_notrack_stmt }, { "dup", json_parse_dup_stmt }, @@ -2614,6 +2931,7 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) { "redirect", json_parse_nat_stmt }, { "reject", json_parse_reject_stmt }, { "set", json_parse_set_stmt }, + { "map", json_parse_map_stmt }, { "log", json_parse_log_stmt }, { "ct helper", json_parse_cthelper_stmt }, { "ct timeout", json_parse_cttimeout_stmt }, @@ -2623,6 +2941,8 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) { "ct count", json_parse_connlimit_stmt }, { "tproxy", json_parse_tproxy_stmt }, { "synproxy", json_parse_synproxy_stmt }, + { "reset", json_parse_optstrip_stmt }, + { "secmark", json_parse_secmark_stmt }, }; const char *type; unsigned int i; @@ -2642,6 +2962,11 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) return verdict_stmt_alloc(int_loc, expr); } + if (!strcmp(type, "xt")) { + json_error(ctx, "unsupported xtables compat expression, use iptables-nft with this ruleset"); + return NULL; + } + for (i = 0; i < array_size(stmt_parser_tbl); i++) { if (!strcmp(type, stmt_parser_tbl[i].key)) return stmt_parser_tbl[i].cb(ctx, stmt_parser_tbl[i].key, tmp); @@ -2651,20 +2976,67 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) return NULL; } +static int json_parse_table_flags(struct json_ctx *ctx, json_t *root, + enum table_flags *flags) +{ + json_t *tmp, *tmp2; + size_t index; + int flag; + + if (json_unpack(root, "{s:o}", "flags", &tmp)) + return 0; + + if (json_is_string(tmp)) { + flag = parse_table_flag(json_string_value(tmp)); + if (flag) { + *flags = flag; + return 0; + } + json_error(ctx, "Invalid table flag '%s'.", + json_string_value(tmp)); + return 1; + } + if (!json_is_array(tmp)) { + json_error(ctx, "Unexpected table flags value."); + return 1; + } + json_array_foreach(tmp, index, tmp2) { + if (json_is_string(tmp2)) { + flag = parse_table_flag(json_string_value(tmp2)); + + if (flag) { + *flags |= flag; + continue; + } + } + json_error(ctx, "Invalid table flag at index %zu.", index); + return 1; + } + return 0; +} + static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root, enum cmd_ops op, enum cmd_obj obj) { + const char *family = "", *comment = NULL; struct handle h = { .table.location = *int_loc, }; - const char *family = ""; + struct table *table = NULL; + enum table_flags flags = 0; if (json_unpack_err(ctx, root, "{s:s}", "family", &family)) return NULL; - if (op != CMD_DELETE && - json_unpack_err(ctx, root, "{s:s}", "name", &h.table.name)) { - return NULL; + + if (op != CMD_DELETE) { + if (json_unpack_err(ctx, root, "{s:s}", "name", &h.table.name)) + return NULL; + + json_unpack(root, "{s:s}", "comment", &comment); + if (json_parse_table_flags(ctx, root, &flags)) + return NULL; + } else if (op == CMD_DELETE && json_unpack(root, "{s:s}", "name", &h.table.name) && json_unpack(root, "{s:I}", "handle", &h.handle.id)) { @@ -2678,10 +3050,18 @@ static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root, if (h.table.name) h.table.name = xstrdup(h.table.name); + if (comment || flags) { + table = table_alloc(); + handle_merge(&table->handle, &h); + if (comment) + table->comment = xstrdup(comment); + table->flags = flags; + } + if (op == CMD_ADD) json_object_del(root, "handle"); - return cmd_alloc(op, obj, &h, int_loc, NULL); + return cmd_alloc(op, obj, &h, int_loc, table); } static struct expr *parse_policy(const char *policy) @@ -2700,24 +3080,60 @@ static struct expr *parse_policy(const char *policy) sizeof(int) * BITS_PER_BYTE, &policy_num); } +static struct expr *json_parse_devs(struct json_ctx *ctx, json_t *root) +{ + struct expr *tmp, *expr = compound_expr_alloc(int_loc, EXPR_LIST); + const char *dev; + json_t *value; + size_t index; + + if (!json_unpack(root, "s", &dev)) { + tmp = constant_expr_alloc(int_loc, &string_type, + BYTEORDER_HOST_ENDIAN, + strlen(dev) * BITS_PER_BYTE, dev); + compound_expr_add(expr, tmp); + return expr; + } + if (!json_is_array(root)) { + expr_free(expr); + return NULL; + } + + json_array_foreach(root, index, value) { + if (json_unpack(value, "s", &dev)) { + json_error(ctx, "Invalid device at index %zu.", + index); + expr_free(expr); + return NULL; + } + tmp = constant_expr_alloc(int_loc, &string_type, + BYTEORDER_HOST_ENDIAN, + strlen(dev) * BITS_PER_BYTE, dev); + compound_expr_add(expr, tmp); + } + return expr; +} + static struct cmd *json_parse_cmd_add_chain(struct json_ctx *ctx, json_t *root, enum cmd_ops op, enum cmd_obj obj) { struct handle h = { .table.location = *int_loc, }; - const char *family = "", *policy = "", *type, *hookstr; - const char name[IFNAMSIZ]; - struct chain *chain; + const char *family = "", *policy = "", *type, *hookstr, *comment = NULL; + struct chain *chain = NULL; + json_t *devs = NULL; int prio; if (json_unpack_err(ctx, root, "{s:s, s:s}", "family", &family, "table", &h.table.name)) return NULL; - if (op != CMD_DELETE && - json_unpack_err(ctx, root, "{s:s}", "name", &h.chain.name)) { - return NULL; + if (op != CMD_DELETE) { + if (json_unpack_err(ctx, root, "{s:s}", "name", &h.chain.name)) + return NULL; + + json_unpack(root, "{s:s}", "comment", &comment); } else if (op == CMD_DELETE && json_unpack(root, "{s:s}", "name", &h.chain.name) && json_unpack(root, "{s:I}", "handle", &h.handle.id)) { @@ -2732,16 +3148,24 @@ static struct cmd *json_parse_cmd_add_chain(struct json_ctx *ctx, json_t *root, if (h.chain.name) h.chain.name = xstrdup(h.chain.name); + if (comment) { + chain = chain_alloc(); + handle_merge(&chain->handle, &h); + chain->comment = xstrdup(comment); + } + if (op == CMD_DELETE || op == CMD_LIST || op == CMD_FLUSH || json_unpack(root, "{s:s, s:s, s:i}", "type", &type, "hook", &hookstr, "prio", &prio)) - return cmd_alloc(op, obj, &h, int_loc, NULL); + return cmd_alloc(op, obj, &h, int_loc, chain); + + if (!chain) + chain = chain_alloc(); - chain = chain_alloc(NULL); chain->flags |= CHAIN_F_BASECHAIN; - chain->type = xstrdup(type); + chain->type.str = xstrdup(type); chain->priority.expr = constant_expr_alloc(int_loc, &integer_type, BYTEORDER_HOST_ENDIAN, sizeof(int) * BITS_PER_BYTE, @@ -2749,28 +3173,24 @@ static struct cmd *json_parse_cmd_add_chain(struct json_ctx *ctx, json_t *root, chain->hook.name = chain_hookname_lookup(hookstr); if (!chain->hook.name) { json_error(ctx, "Invalid chain hook '%s'.", hookstr); - chain_free(chain); - return NULL; + goto err_free_chain; } - if (!json_unpack(root, "{s:s}", "dev", &name)) { - struct expr *dev_expr, *expr; + json_unpack(root, "{s:o}", "dev", &devs); - dev_expr = compound_expr_alloc(int_loc, EXPR_LIST); - expr = constant_expr_alloc(int_loc, &integer_type, - BYTEORDER_HOST_ENDIAN, - strlen(name) * BITS_PER_BYTE, - name); - compound_expr_add(dev_expr, expr); - chain->dev_expr = dev_expr; + if (devs) { + chain->dev_expr = json_parse_devs(ctx, devs); + if (!chain->dev_expr) { + json_error(ctx, "Invalid chain dev."); + goto err_free_chain; + } } if (!json_unpack(root, "{s:s}", "policy", &policy)) { chain->policy = parse_policy(policy); if (!chain->policy) { json_error(ctx, "Unknown policy '%s'.", policy); - chain_free(chain); - return NULL; + goto err_free_chain; } } @@ -2779,6 +3199,11 @@ static struct cmd *json_parse_cmd_add_chain(struct json_ctx *ctx, json_t *root, handle_merge(&chain->handle, &h); return cmd_alloc(op, obj, &h, int_loc, chain); + +err_free_chain: + chain_free(chain); + handle_free(&h); + return NULL; } static struct cmd *json_parse_cmd_add_rule(struct json_ctx *ctx, json_t *root, @@ -2802,7 +3227,7 @@ static struct cmd *json_parse_cmd_add_rule(struct json_ctx *ctx, json_t *root, if (op != CMD_DELETE && json_unpack_err(ctx, root, "{s:o}", "expr", &tmp)) return NULL; - else if (op == CMD_DELETE && + else if ((op == CMD_DELETE || op == CMD_DESTROY) && json_unpack_err(ctx, root, "{s:I}", "handle", &h.handle.id)) return NULL; @@ -2813,11 +3238,12 @@ static struct cmd *json_parse_cmd_add_rule(struct json_ctx *ctx, json_t *root, h.table.name = xstrdup(h.table.name); h.chain.name = xstrdup(h.chain.name); - if (op == CMD_DELETE) + if (op == CMD_DELETE || op == CMD_DESTROY) return cmd_alloc(op, obj, &h, int_loc, NULL); if (!json_is_array(tmp)) { json_error(ctx, "Value of property \"expr\" must be an array."); + handle_free(&h); return NULL; } @@ -2837,16 +3263,14 @@ static struct cmd *json_parse_cmd_add_rule(struct json_ctx *ctx, json_t *root, if (!json_is_object(value)) { json_error(ctx, "Unexpected expr array element of type %s, expected object.", json_typename(value)); - rule_free(rule); - return NULL; + goto err_free_rule; } stmt = json_parse_stmt(ctx, value); if (!stmt) { json_error(ctx, "Parsing expr array at index %zd failed.", index); - rule_free(rule); - return NULL; + goto err_free_rule; } rule_stmt_append(rule, stmt); @@ -2856,19 +3280,28 @@ static struct cmd *json_parse_cmd_add_rule(struct json_ctx *ctx, json_t *root, json_object_del(root, "handle"); return cmd_alloc(op, obj, &h, int_loc, rule); + +err_free_rule: + rule_free(rule); + handle_free(&h); + return NULL; } static int string_to_nft_object(const char *str) { const char *obj_tbl[__NFT_OBJECT_MAX] = { - [NFT_OBJECT_COUNTER] = "counter", - [NFT_OBJECT_QUOTA] = "quota", - [NFT_OBJECT_LIMIT] = "limit", - [NFT_OBJECT_SECMARK] = "secmark", + [NFT_OBJECT_COUNTER] = "counter", + [NFT_OBJECT_QUOTA] = "quota", + [NFT_OBJECT_CT_HELPER] = "ct helper", + [NFT_OBJECT_LIMIT] = "limit", + [NFT_OBJECT_CT_TIMEOUT] = "ct timeout", + [NFT_OBJECT_SECMARK] = "secmark", + [NFT_OBJECT_CT_EXPECT] = "ct expectation", + [NFT_OBJECT_SYNPROXY] = "synproxy", }; unsigned int i; - for (i = 0; i < NFT_OBJECT_MAX; i++) { + for (i = 0; i <= NFT_OBJECT_MAX; i++) { if (obj_tbl[i] && !strcmp(str, obj_tbl[i])) return i; } @@ -2884,6 +3317,7 @@ static int string_to_set_flag(const char *str) { NFT_SET_CONSTANT, "constant" }, { NFT_SET_INTERVAL, "interval" }, { NFT_SET_TIMEOUT, "timeout" }, + { NFT_SET_EVAL, "dynamic" }, }; unsigned int i; @@ -2898,9 +3332,9 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, enum cmd_ops op, enum cmd_obj obj) { struct handle h = { 0 }; - const char *family = "", *policy, *dtype_ext = NULL; + const char *family = "", *policy; + json_t *tmp, *stmt_json; struct set *set; - json_t *tmp; if (json_unpack_err(ctx, root, "{s:s, s:s}", "family", &family, @@ -2909,7 +3343,7 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, if (op != CMD_DELETE && json_unpack_err(ctx, root, "{s:s}", "name", &h.set.name)) { return NULL; - } else if (op == CMD_DELETE && + } else if ((op == CMD_DELETE || op == CMD_DESTROY) && json_unpack(root, "{s:s}", "name", &h.set.name) && json_unpack(root, "{s:I}", "handle", &h.handle.id)) { json_error(ctx, "Either name or handle required to delete a set."); @@ -2926,14 +3360,16 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, switch (op) { case CMD_DELETE: + case CMD_DESTROY: case CMD_LIST: case CMD_FLUSH: + case CMD_RESET: return cmd_alloc(op, obj, &h, int_loc, NULL); default: break; } - set = set_alloc(NULL); + set = set_alloc(&internal_location); if (json_unpack(root, "{s:o}", "type", &tmp)) { json_error(ctx, "Invalid set type."); @@ -2949,19 +3385,21 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, return NULL; } - if (!json_unpack(root, "{s:s}", "map", &dtype_ext)) { - const struct datatype *dtype; + if (!json_unpack(root, "{s:o}", "map", &tmp)) { + if (json_is_string(tmp)) { + const char *s = json_string_value(tmp); - set->objtype = string_to_nft_object(dtype_ext); + set->objtype = string_to_nft_object(s); + } if (set->objtype) { set->flags |= NFT_SET_OBJECT; - } else if ((dtype = datatype_lookup_byname(dtype_ext))) { - set->data = constant_expr_alloc(&netlink_location, - dtype, dtype->byteorder, - dtype->size, NULL); + } else if ((set->data = json_parse_dtype_expr(ctx, tmp))) { set->flags |= NFT_SET_MAP; } else { - json_error(ctx, "Invalid map type '%s'.", dtype_ext); + const char *dump = json_dumps(tmp, 0); + + json_error(ctx, "Invalid map type '%s'.", dump); + free_const(dump); set_free(set); handle_free(&h); return NULL; @@ -3010,6 +3448,10 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, if (!json_unpack(root, "{s:i}", "gc-interval", &set->gc_int)) set->gc_int *= 1000; json_unpack(root, "{s:i}", "size", &set->desc.size); + json_unpack(root, "{s:b}", "auto-merge", &set->automerge); + + if (!json_unpack(root, "{s:o}", "stmt", &stmt_json)) + json_parse_set_stmt_list(ctx, &set->stmt_list, stmt_json); handle_merge(&set->handle, &h); @@ -3051,37 +3493,6 @@ static struct cmd *json_parse_cmd_add_element(struct json_ctx *ctx, return cmd_alloc(op, cmd_obj, &h, int_loc, expr); } -static struct expr *json_parse_flowtable_devs(struct json_ctx *ctx, - json_t *root) -{ - struct expr *tmp, *expr = compound_expr_alloc(int_loc, EXPR_LIST); - const char *dev; - json_t *value; - size_t index; - - if (!json_unpack(root, "s", &dev)) { - tmp = symbol_expr_alloc(int_loc, SYMBOL_VALUE, NULL, dev); - compound_expr_add(expr, tmp); - return expr; - } - if (!json_is_array(root)) { - expr_free(expr); - return NULL; - } - - json_array_foreach(root, index, value) { - if (json_unpack(value, "s", &dev)) { - json_error(ctx, "Invalid flowtable dev at index %zu.", - index); - expr_free(expr); - return NULL; - } - tmp = symbol_expr_alloc(int_loc, SYMBOL_VALUE, NULL, dev); - compound_expr_add(expr, tmp); - } - return expr; -} - static struct cmd *json_parse_cmd_add_flowtable(struct json_ctx *ctx, json_t *root, enum cmd_ops op, enum cmd_obj cmd_obj) @@ -3089,7 +3500,7 @@ static struct cmd *json_parse_cmd_add_flowtable(struct json_ctx *ctx, const char *family, *hook, *hookstr; struct flowtable *flowtable; struct handle h = { 0 }; - json_t *devs; + json_t *devs = NULL; int prio; if (json_unpack_err(ctx, root, "{s:s, s:s}", @@ -3100,7 +3511,7 @@ static struct cmd *json_parse_cmd_add_flowtable(struct json_ctx *ctx, if (op != CMD_DELETE && json_unpack_err(ctx, root, "{s:s}", "name", &h.flowtable.name)) { return NULL; - } else if (op == CMD_DELETE && + } else if ((op == CMD_DELETE || op == CMD_DESTROY) && json_unpack(root, "{s:s}", "name", &h.flowtable.name) && json_unpack(root, "{s:I}", "handle", &h.handle.id)) { json_error(ctx, "Either name or handle required to delete a flowtable."); @@ -3115,17 +3526,18 @@ static struct cmd *json_parse_cmd_add_flowtable(struct json_ctx *ctx, if (h.flowtable.name) h.flowtable.name = xstrdup(h.flowtable.name); - if (op == CMD_DELETE || op == CMD_LIST) + if (op == CMD_DELETE || op == CMD_LIST || op == CMD_DESTROY) return cmd_alloc(op, cmd_obj, &h, int_loc, NULL); - if (json_unpack_err(ctx, root, "{s:s, s:I, s:o}", + if (json_unpack_err(ctx, root, "{s:s, s:i}", "hook", &hook, - "prio", &prio, - "dev", &devs)) { + "prio", &prio)) { handle_free(&h); return NULL; } + json_unpack(root, "{s:o}", "dev", &devs); + hookstr = chain_hookname_lookup(hook); if (!hookstr) { json_error(ctx, "Invalid flowtable hook '%s'.", hook); @@ -3140,12 +3552,14 @@ static struct cmd *json_parse_cmd_add_flowtable(struct json_ctx *ctx, BYTEORDER_HOST_ENDIAN, sizeof(int) * BITS_PER_BYTE, &prio); - flowtable->dev_expr = json_parse_flowtable_devs(ctx, devs); - if (!flowtable->dev_expr) { - json_error(ctx, "Invalid flowtable dev."); - flowtable_free(flowtable); - handle_free(&h); - return NULL; + if (devs) { + flowtable->dev_expr = json_parse_devs(ctx, devs); + if (!flowtable->dev_expr) { + json_error(ctx, "Invalid flowtable dev."); + flowtable_free(flowtable); + handle_free(&h); + return NULL; + } } return cmd_alloc(op, cmd_obj, &h, int_loc, flowtable); } @@ -3156,7 +3570,7 @@ static int json_parse_ct_timeout_policy(struct json_ctx *ctx, json_t *tmp, *val; const char *key; - if (!json_unpack(root, "{s:o}", "policy", &tmp)) + if (json_unpack(root, "{s:o}", "policy", &tmp)) return 0; if (!json_is_object(tmp)) { @@ -3164,7 +3578,6 @@ static int json_parse_ct_timeout_policy(struct json_ctx *ctx, return 1; } - init_list_head(&obj->ct_timeout.timeout_list); json_object_foreach(tmp, key, val) { struct timeout_state *ts; @@ -3189,8 +3602,8 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, { const char *family, *tmp, *rate_unit = "packets", *burst_unit = "bytes"; uint32_t l3proto = NFPROTO_UNSPEC; + int inv = 0, flags = 0, i, j; struct handle h = { 0 }; - int inv = 0, flags = 0; struct obj *obj; json_t *jflags; @@ -3202,7 +3615,7 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, cmd_obj == NFT_OBJECT_CT_HELPER) && json_unpack_err(ctx, root, "{s:s}", "name", &h.obj.name)) { return NULL; - } else if (op == CMD_DELETE && + } else if ((op == CMD_DELETE || op == CMD_DESTROY) && cmd_obj != NFT_OBJECT_CT_HELPER && json_unpack(root, "{s:s}", "name", &h.obj.name) && json_unpack(root, "{s:I}", "handle", &h.handle.id)) { @@ -3218,7 +3631,7 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, if (h.obj.name) h.obj.name = xstrdup(h.obj.name); - if (op == CMD_DELETE || op == CMD_LIST) { + if (op == CMD_DELETE || op == CMD_LIST || op == CMD_DESTROY) { if (cmd_obj == NFT_OBJECT_CT_HELPER) return cmd_alloc_obj_ct(op, NFT_OBJECT_CT_HELPER, &h, int_loc, obj_alloc(int_loc)); @@ -3227,6 +3640,9 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, obj = obj_alloc(int_loc); + if (!json_unpack(root, "{s:s}", "comment", &obj->comment)) + obj->comment = xstrdup(obj->comment); + switch (cmd_obj) { case CMD_OBJ_COUNTER: obj->type = NFT_OBJECT_COUNTER; @@ -3249,8 +3665,7 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, if (ret < 0 || ret >= (int)sizeof(obj->secmark.ctx)) { json_error(ctx, "Invalid secmark context '%s', max length is %zu.", tmp, sizeof(obj->secmark.ctx)); - obj_free(obj); - return NULL; + goto err_free_obj; } } break; @@ -3266,8 +3681,7 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, ret >= (int)sizeof(obj->ct_helper.name)) { json_error(ctx, "Invalid CT helper type '%s', max length is %zu.", tmp, sizeof(obj->ct_helper.name)); - obj_free(obj); - return NULL; + goto err_free_obj; } } if (!json_unpack(root, "{s:s}", "protocol", &tmp)) { @@ -3277,15 +3691,13 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, obj->ct_helper.l4proto = IPPROTO_UDP; } else { json_error(ctx, "Invalid ct helper protocol '%s'.", tmp); - obj_free(obj); - return NULL; + goto err_free_obj; } } if (!json_unpack(root, "{s:s}", "l3proto", &tmp) && parse_family(tmp, &l3proto)) { json_error(ctx, "Invalid ct helper l3proto '%s'.", tmp); - obj_free(obj); - return NULL; + goto err_free_obj; } obj->ct_helper.l3proto = l3proto; break; @@ -3299,22 +3711,19 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, obj->ct_timeout.l4proto = IPPROTO_UDP; } else { json_error(ctx, "Invalid ct timeout protocol '%s'.", tmp); - obj_free(obj); - return NULL; + goto err_free_obj; } } if (!json_unpack(root, "{s:s}", "l3proto", &tmp) && parse_family(tmp, &l3proto)) { json_error(ctx, "Invalid ct timeout l3proto '%s'.", tmp); - obj_free(obj); - return NULL; + goto err_free_obj; } - obj->ct_helper.l3proto = l3proto; + obj->ct_timeout.l3proto = l3proto; - if (json_parse_ct_timeout_policy(ctx, root, obj)) { - obj_free(obj); - return NULL; - } + init_list_head(&obj->ct_timeout.timeout_list); + if (json_parse_ct_timeout_policy(ctx, root, obj)) + goto err_free_obj; break; case NFT_OBJECT_CT_EXPECT: cmd_obj = CMD_OBJ_CT_EXPECT; @@ -3322,8 +3731,7 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, if (!json_unpack(root, "{s:s}", "l3proto", &tmp) && parse_family(tmp, &l3proto)) { json_error(ctx, "Invalid ct expectation l3proto '%s'.", tmp); - obj_free(obj); - return NULL; + goto err_free_obj; } obj->ct_expect.l3proto = l3proto; if (!json_unpack(root, "{s:s}", "protocol", &tmp)) { @@ -3333,27 +3741,26 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, obj->ct_expect.l4proto = IPPROTO_UDP; } else { json_error(ctx, "Invalid ct expectation protocol '%s'.", tmp); - obj_free(obj); - return NULL; + goto err_free_obj; } } - if (!json_unpack(root, "{s:o}", "dport", &tmp)) - obj->ct_expect.dport = atoi(tmp); - json_unpack(root, "{s:I}", "timeout", &obj->ct_expect.timeout); - if (!json_unpack(root, "{s:o}", "size", &tmp)) - obj->ct_expect.size = atoi(tmp); + if (!json_unpack(root, "{s:i}", "dport", &i)) + obj->ct_expect.dport = i; + if (!json_unpack(root, "{s:i}", "timeout", &i)) + obj->ct_expect.timeout = i; + if (!json_unpack(root, "{s:i}", "size", &i)) + obj->ct_expect.size = i; break; case CMD_OBJ_LIMIT: obj->type = NFT_OBJECT_LIMIT; if (json_unpack_err(ctx, root, "{s:I, s:s}", "rate", &obj->limit.rate, - "per", &tmp)) { - obj_free(obj); - return NULL; - } + "per", &tmp)) + goto err_free_obj; + json_unpack(root, "{s:s}", "rate_unit", &rate_unit); json_unpack(root, "{s:b}", "inv", &inv); - json_unpack(root, "{s:I}", "burst", &obj->limit.burst); + json_unpack(root, "{s:i}", "burst", &obj->limit.burst); json_unpack(root, "{s:s}", "burst_unit", &burst_unit); if (!strcmp(rate_unit, "packets")) { @@ -3371,19 +3778,18 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, case CMD_OBJ_SYNPROXY: obj->type = NFT_OBJECT_SYNPROXY; if (json_unpack_err(ctx, root, "{s:i, s:i}", - "mss", &obj->synproxy.mss, - "wscale", &obj->synproxy.wscale)) { - obj_free(obj); - return NULL; - } + "mss", &i, "wscale", &j)) + goto err_free_obj; + + obj->synproxy.mss = i; + obj->synproxy.wscale = j; obj->synproxy.flags |= NF_SYNPROXY_OPT_MSS; obj->synproxy.flags |= NF_SYNPROXY_OPT_WSCALE; if (!json_unpack(root, "{s:o}", "flags", &jflags)) { flags = json_parse_synproxy_flags(ctx, jflags); - if (flags < 0) { - obj_free(obj); - return NULL; - } + if (flags < 0) + goto err_free_obj; + obj->synproxy.flags |= flags; } break; @@ -3395,6 +3801,11 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, json_object_del(root, "handle"); return cmd_alloc(op, cmd_obj, &h, int_loc, obj); + +err_free_obj: + obj_free(obj); + handle_free(&h); + return NULL; } static struct cmd *json_parse_cmd_add(struct json_ctx *ctx, @@ -3419,7 +3830,8 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx, { "ct timeout", NFT_OBJECT_CT_TIMEOUT, json_parse_cmd_add_object }, { "ct expectation", NFT_OBJECT_CT_EXPECT, json_parse_cmd_add_object }, { "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object }, - { "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object } + { "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object }, + { "synproxy", CMD_OBJ_SYNPROXY, json_parse_cmd_add_object } }; unsigned int i; json_t *tmp; @@ -3508,8 +3920,7 @@ static struct cmd *json_parse_cmd_replace(struct json_ctx *ctx, if (!json_is_object(value)) { json_error(ctx, "Unexpected expr array element of type %s, expected object.", json_typename(value)); - rule_free(rule); - return NULL; + goto err_free_replace; } stmt = json_parse_stmt(ctx, value); @@ -3517,8 +3928,7 @@ static struct cmd *json_parse_cmd_replace(struct json_ctx *ctx, if (!stmt) { json_error(ctx, "Parsing expr array at index %zd failed.", index); - rule_free(rule); - return NULL; + goto err_free_replace; } rule_stmt_append(rule, stmt); @@ -3528,6 +3938,11 @@ static struct cmd *json_parse_cmd_replace(struct json_ctx *ctx, json_object_del(root, "handle"); return cmd_alloc(op, CMD_OBJ_RULE, &h, int_loc, rule); + +err_free_replace: + rule_free(rule); + handle_free(&h); + return NULL; } static struct cmd *json_parse_cmd_list_multiple(struct json_ctx *ctx, @@ -3616,6 +4031,39 @@ static struct cmd *json_parse_cmd_list(struct json_ctx *ctx, return NULL; } +static struct cmd *json_parse_cmd_reset_rule(struct json_ctx *ctx, + json_t *root, enum cmd_ops op, + enum cmd_obj obj) +{ + struct handle h = { + .family = NFPROTO_UNSPEC, + }; + const char *family = NULL, *table = NULL, *chain = NULL; + + + if (obj == CMD_OBJ_RULE && + json_unpack_err(ctx, root, "{s:s, s:s, s:s, s:I}", + "family", &family, "table", &table, + "chain", &chain, "handle", &h.handle.id)) + return NULL; + else if (obj == CMD_OBJ_RULES) { + json_unpack(root, "{s:s}", "family", &family); + json_unpack(root, "{s:s}", "table", &table); + json_unpack(root, "{s:s}", "chain", &chain); + } + + if (family && parse_family(family, &h.family)) { + json_error(ctx, "Unknown family '%s'.", family); + return NULL; + } + if (table) { + h.table.name = xstrdup(table); + if (chain) + h.chain.name = xstrdup(chain); + } + return cmd_alloc(op, obj, &h, int_loc, NULL); +} + static struct cmd *json_parse_cmd_reset(struct json_ctx *ctx, json_t *root, enum cmd_ops op) { @@ -3629,6 +4077,11 @@ static struct cmd *json_parse_cmd_reset(struct json_ctx *ctx, { "counters", CMD_OBJ_COUNTERS, json_parse_cmd_list_multiple }, { "quota", CMD_OBJ_QUOTA, json_parse_cmd_add_object }, { "quotas", CMD_OBJ_QUOTAS, json_parse_cmd_list_multiple }, + { "rule", CMD_OBJ_RULE, json_parse_cmd_reset_rule }, + { "rules", CMD_OBJ_RULES, json_parse_cmd_reset_rule }, + { "element", CMD_OBJ_ELEMENTS, json_parse_cmd_add_element }, + { "set", CMD_OBJ_SET, json_parse_cmd_add_set }, + { "map", CMD_OBJ_MAP, json_parse_cmd_add_set }, }; unsigned int i; json_t *tmp; @@ -3727,6 +4180,7 @@ static struct cmd *json_parse_cmd(struct json_ctx *ctx, json_t *root) { "reset", CMD_RESET, json_parse_cmd_reset }, { "flush", CMD_FLUSH, json_parse_cmd_flush }, { "rename", CMD_RENAME, json_parse_cmd_rename }, + { "destroy", CMD_DESTROY, json_parse_cmd_add }, //{ "export", CMD_EXPORT, json_parse_cmd_export }, //{ "monitor", CMD_MONITOR, json_parse_cmd_monitor }, //{ "describe", CMD_DESCRIBE, json_parse_cmd_describe } @@ -3749,13 +4203,14 @@ static int json_verify_metainfo(struct json_ctx *ctx, json_t *root) { int schema_version; - if (!json_unpack(root, "{s:i}", "json_schema_version", &schema_version)) - return 0; - - if (schema_version > JSON_SCHEMA_VERSION) { - json_error(ctx, "Schema version %d not supported, maximum supported version is %d\n", - schema_version, JSON_SCHEMA_VERSION); - return 1; + if (!json_unpack(root, "{s:i}", "json_schema_version", &schema_version)) { + if (schema_version > JSON_SCHEMA_VERSION) { + json_error(ctx, + "Schema version %d not supported, maximum" + " supported version is %d\n", + schema_version, JSON_SCHEMA_VERSION); + return 1; + } } return 0; @@ -3883,16 +4338,15 @@ int nft_parse_json_buffer(struct nft_ctx *nft, const char *buf, struct list_head *msgs, struct list_head *cmds) { struct json_ctx ctx = { - .indesc = { - .type = INDESC_BUFFER, - .data = buf, - }, .nft = nft, .msgs = msgs, .cmds = cmds, }; int ret; + json_indesc.type = INDESC_BUFFER; + json_indesc.data = buf; + parser_init(nft, nft->state, msgs, cmds, nft->top_scope); nft->json_root = json_loads(buf, 0, NULL); if (!nft->json_root) @@ -3911,10 +4365,6 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename, struct list_head *msgs, struct list_head *cmds) { struct json_ctx ctx = { - .indesc = { - .type = INDESC_FILE, - .name = filename, - }, .nft = nft, .msgs = msgs, .cmds = cmds, @@ -3922,6 +4372,16 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename, json_error_t err; int ret; + if (nft->stdin_buf) { + json_indesc.type = INDESC_STDIN; + json_indesc.name = "/dev/stdin"; + + return nft_parse_json_buffer(nft, nft->stdin_buf, msgs, cmds); + } + + json_indesc.type = INDESC_FILE; + json_indesc.name = filename; + parser_init(nft, nft->state, msgs, cmds, nft->top_scope); nft->json_root = json_load_file(filename, 0, &err); if (!nft->json_root) |