summaryrefslogtreecommitdiffstats
path: root/src/erec.c
Commit message (Collapse)AuthorAgeFilesLines
* erec: Fix input descriptors for included filesAnatole Denis2017-02-251-1/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, when creating an error record (erec), the current location in the file is duplicated, but not the input_descriptor inside it. Input descriptors are added and removed by the parser when including files, and memory references in the error record thus become incorrect when a subsequent file is included. This patch copies the input descriptors recursively to ensure each erec has the correct chain of input descriptors at the time of printing. For example: badinclude.nft: ``` include "error.nft" include "empty.nft" ``` a.nft: ``` add rule t c obvious syntax error ``` b.nft: (empty file) Results in the last included file being referenced and quoted for all errors $ nft -f badinclude.nft In file included from badinclude.nft:2:1-20: ./empty.nft:1:34-34: Error: syntax error, unexpected newline ^ Expected behavior: $ nft -f badinclude.nft -I. In file included from badinclude.nft:1:1-20: ./error.nft:1:34-34: Error: syntax error, unexpected newline add rule t c obvious syntax error ^ Signed-off-by: Anatole Denis <anatole@rezel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta priority support using tc classidPablo Neira Ayuso2016-08-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the missing bits to scan and parse the meta priority handle as expressed by tc classid major:minor syntax. The :minor syntax is not support for two reason: major is always >= 1 and this clashes with port syntax in nat. Here below, several example on how to match the packet priority field: nft add rule filter forward meta priority abcd:0 nft add rule filter forward meta priority abcd:1234 and to set it, you have to: nft add rule filter forward meta priority set abcd:1234 The priority expression in flex looks ahead to restrict the pattern to avoid problems with mappings: {classid}/[ \t\n:\-},] So the following doesn't break: ... vmap { 25:accept } ^^^^^ The lookahead expression requires a slight change to extend the input string in one byte. This patch is conservative as you always have to explicity indicate major and minor numbers even if zero. We could consider supporting this shortcut in the future: abcd: However, with regards to this: :abcd We don't need to support it since major number is assumed to be >= 1. However, if we ever decide to support this, we'll have problems since this clashes with our port representation in redirect and mangle. So let's keep this simple and start with this approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expose delinearize/linearize structures and stmt_error()Pablo Neira2016-07-131-0/+17
| | | | | | | Needed by the follow up xt compatibility layer patch. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: fix logic when reading from fileEric Leblond2015-06-301-0/+3
| | | | | | | | | | | In case we are reading the rules from a file we need to reset the file descriptor to the original position when calling erec_print. This was not the case in previous code and was leading to valid file to be seen as invalid when treated in debug mode. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: fix buffer overflowEric Leblond2015-06-301-5/+12
| | | | | | | | | | | A static array was used to read data and to write information in it without checking the limit of the array. The result was a buffer overflow when the line was longer than 1024. This patch now uses a allocated buffer to avoid the problem. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: use stdio vasprintf instead of gmp_vasprintfSteven Barth2015-01-071-1/+5
| | | | | | | | | Use stdio's vasprintf instead of gmp_vasprintf which is not part of the mini-gmp function subset. Furthermore convert the only gmp-specific user and allow the compiler to verify format-strings. Signed-off-by: Steven Barth <cyrus@openwrt.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: autotools conversionPablo Neira Ayuso2014-11-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1) This removes former Makefiles and install-sh (which is now automagically imported via autoreconf). Makefile.defs.in Makefile.in Makefile.rules.in src/Makefile.in install-sh (now automagically imported via autoreconf). 2) CFLAGS are left almost same, they are integrated into Make_global.am. Use AM_CPPFLAGS to set the CFLAGS set by pkgconfig. 3) Add m4 directory to the tree which only contains the .gitignore file. Update .gitignore file to skip autogenerated files. 4) include <config.h> whenever required. 5) Minor adjustments to scanner.l and parser_bison.y to compile cleanly with autotools. 6) Add %option outfile=lex.yy.c to scanner.l, otherwise I hit this error here: gcc -DHAVE_CONFIG_H -I. -I.. -I../include -DDEFAULT_INCLUDE_PATH="\"/usr/etc\"" -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wsign-compare -Winit-self -Wformat-nonliteral -Wformat-security -Wmissing-format-attribute -Wcast-align -Wundef -Wbad-function-cast -g -O2 -MT mnl.o -MD -MP -MF $depbase.Tpo -c -o mnl.o mnl.c &&\ mv -f $depbase.Tpo $depbase.Po /bin/sh ../build-aux/ylwrap scanner.l lex.yy.c scanner.c -- flex make[3]: *** [scanner.c] Error 1 make[3]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables' make: *** [all] Error 2 7) Add Makefile.am for include/ (contributed by Giorgio Dal Molin). The doc/ and files/ conversion to automake will come in follow up patches but 'make distcheck' already works. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: skip includes with INDESC_INTERNALPatrick McHardy2014-02-041-1/+3
| | | | | | | Don't display "In file included from internal:0:0-0:" for errors occuring in a parsed file. Signed-off-by: Patrick McHardy <kaber@trash.net>
* erec: fix error markup for errors starting at column 0Patrick McHardy2014-01-101-1/+2
| | | | | | For errors starting at column 0, we must not subtract 1 to avoid underflow. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use libnftablesPablo Neira Ayuso2013-06-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | This patch migrates nft to use the libnftables library, that is used by the iptables over nftables compat utility as well. Most of the conversion was pretty straight forward. Some small significant changes happened in the handling of set element and immediate data abstraction that libnl provides. libnftables is a bit more granular since it splits the struct nfnl_nft_data into three attributes: verdict, chain and plain data (used in maps). I have added a new file src/mnl.c that contains the low level netlink communication that now resides in nftables source tree instead of the library. This should help to implement the batching support using libmnl in follow up patches. I also spent some significant amount of time running my tests to make sure that we don't increase the number of bugs that we already have (I plan to provide a list of those that I have detected and diagnosed, so anyone else can help us to fix them). As a side effect, this change should also prepare the ground for JSON and XML support anytime soon. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* debug: include verbose message in all BUG statementsroot2012-12-081-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* erec: Handle returned value properly in erec_printTomasz Bursztyka2012-08-031-3/+4
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+159