| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces the input descriptor list, that stores the
existing input descriptor objects. These objects are now dynamically
allocated and release from scanner_destroy() path.
Follow up patches that decouple the parsing and the evaluation phases
require this for error reporting as described by b14572f72aac ("erec:
Fix input descriptors for included files"), this patch partially reverts
such partial.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Remove double empty line linebreak when printing internal errors.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new requirement to erec for the upcoming JSON support is printing
records with file input descriptors without open stream. The approach is
to treat 'name' field as file name, open it, extract the offending line
and close it again.
Further changes to libnftables input parsing routines though have shown
that the whole concept of file pointer reuse in erec is tedious and not
worth keeping:
* Closed files are to be supported as well, so there needs to be
fallback code for opening the file anyway.
* When input descriptor is duplicated from parser state into an error
record, the file pointer is copied as well. Therefore care has to be
taken to not free the parser state before any error records have been
printed. This is the only point where old and duplicated input
descriptors are connected.
Therefore drop struct input_descriptor's 'fp' field and just always open
the file by name. This way also the old stream offset doesn't have to be
restored after reading.
While being at it, this patch fixes two other (potential) problems:
* If the offending line from input contains tabs, add them at the right
position in the marker buffer as well to avoid misalignment.
* The input file may not be seekable (/dev/stdin for instance), so skip
printing of offending line and markers if it couldn't be read
properly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Analogous to nft_ctx_set_output(), this allows to set a custom file
pointer for writing error messages to.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the following macros:
* AC_PREREQ checks for 2.61, which is not supported any contemporary
distribution.
* AC_COPYRIGHT, autoconf documentation states "in addition to the Free
Software Foundation's copyright on the Autoconf macros, parts of your
configure are covered by the copyright-notice.".
This only refers to the autoconf infrastructure: we are doing simple
and standard usage of autoconf infrastructure, we also don't use this
macro in other existing userspace software available at netfilter.org.
The comment above at the beginning of this file shows text that is
available in many configure.ac templates on the Internet.
* AC_CANONICAL_HOST, we don't need the canonical host-system type to
build this software.
* AC_CONFIG_SRCDIR is not used in other userspace software in the tree.
* AC_DEFINE _GNU_SOURCE, define this where it's needed instead.
* AC_DEFINE _STDC_FORMAT_MACROS is not used in this codebase.
* AC_HEADER_STDC checks for ANSI C89 headers, however, we need more than
just this C standard, so this doesn't guarantee anything at all.
* Remove "Checks for libraries" comment, it's obvious.
* AC_HEADER_ASSERT allows us to disable assertions, this is bad because
this is helping us to diagnose bugs and incomplete features.
* AC_CHECK_HEADERS is checking for an arbitrary list of headers,
this still doesn't even guarantee that we can actually do a successful
compilation in a broken system.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
If the initial call to ftell() fails, variable orig_offset is set to -1.
Avoid passing this to fseek() later on.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Static const char * array should be static const char *
const array as per linux-kernel coding style.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When introducing output_fp, debug output in src/evaluate.c was not
adjusted and therefore broke.
This patch restores eval debug output by applying the following changes:
- Change erec_print() and erec_print_list() to take a struct output_ctx
pointer as first argument and use output_fp field as destination to
print to.
- Drop octx_debug_dummy variable and instead use octx pointer from
struct eval_ctx for debug output.
- Add missing calls to erec_destroy() in eval debug output which should
eliminate another mem leak.
Fixes: 2535ba7006f22 ("src: get rid of printf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
It was a bit odd that erec_print() outputs to a given FILE pointer but
then calls netlink_dump_expr() which just prints to stdout. Fix this by
passing the given FILE pointer along so output is guaranteed to go to
the same destination.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When including a file, it is opened by fopen() and therefore needs to be
closed after scanning has finished using fclose(), otherwise valgrind
will report a memleak.
This patch changes struct input_descriptor to track the opened FILE
pointer instead of the file descriptor so the pointer is available for
closing in scanner_destroy().
While at it, change erec_print() to work on the open FILE pointer so it
doesn't have to call fileno() in beforehand. And as a little bonus, use
C99 initializer of the buffer to get rid of the call to memset().
Note that it is necessary to call erec_print_list() prior to destroying
the scanner, otherwise it will start manipulating an already freed FILE
pointer (and therefore crash the program).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
So this toggle is not global anymore. Update name that fits better with
the semantics of this variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
To be able to do so we duplicate the name in the indesc if it is
set.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, when creating an error record (erec), the current location in the
file is duplicated, but not the input_descriptor inside it. Input descriptors
are added and removed by the parser when including files, and memory references
in the error record thus become incorrect when a subsequent file is included.
This patch copies the input descriptors recursively to ensure each erec has the
correct chain of input descriptors at the time of printing.
For example:
badinclude.nft:
```
include "error.nft"
include "empty.nft"
```
a.nft:
```
add rule t c obvious syntax error
```
b.nft: (empty file)
Results in the last included file being referenced and quoted for all errors
$ nft -f badinclude.nft
In file included from badinclude.nft:2:1-20:
./empty.nft:1:34-34: Error: syntax error, unexpected newline
^
Expected behavior:
$ nft -f badinclude.nft -I.
In file included from badinclude.nft:1:1-20:
./error.nft:1:34-34: Error: syntax error, unexpected newline
add rule t c obvious syntax error
^
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the missing bits to scan and parse the meta priority
handle as expressed by tc classid major:minor syntax.
The :minor syntax is not support for two reason: major is always >= 1
and this clashes with port syntax in nat.
Here below, several example on how to match the packet priority field:
nft add rule filter forward meta priority abcd:0
nft add rule filter forward meta priority abcd:1234
and to set it, you have to:
nft add rule filter forward meta priority set abcd:1234
The priority expression in flex looks ahead to restrict the pattern to
avoid problems with mappings:
{classid}/[ \t\n:\-},]
So the following doesn't break:
... vmap { 25:accept }
^^^^^
The lookahead expression requires a slight change to extend the input
string in one byte.
This patch is conservative as you always have to explicity indicate
major and minor numbers even if zero.
We could consider supporting this shortcut in the future:
abcd:
However, with regards to this:
:abcd
We don't need to support it since major number is assumed to be >= 1.
However, if we ever decide to support this, we'll have problems since
this clashes with our port representation in redirect and mangle.
So let's keep this simple and start with this approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Needed by the follow up xt compatibility layer patch.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
In case we are reading the rules from a file we need to reset the
file descriptor to the original position when calling erec_print.
This was not the case in previous code and was leading to valid
file to be seen as invalid when treated in debug mode.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
A static array was used to read data and to write information in
it without checking the limit of the array. The result was a buffer
overflow when the line was longer than 1024.
This patch now uses a allocated buffer to avoid the problem.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Use stdio's vasprintf instead of gmp_vasprintf which is not part
of the mini-gmp function subset. Furthermore convert the only
gmp-specific user and allow the compiler to verify format-strings.
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) This removes former Makefiles and install-sh (which is now
automagically imported via autoreconf).
Makefile.defs.in
Makefile.in
Makefile.rules.in
src/Makefile.in
install-sh (now automagically imported via autoreconf).
2) CFLAGS are left almost same, they are integrated into Make_global.am.
Use AM_CPPFLAGS to set the CFLAGS set by pkgconfig.
3) Add m4 directory to the tree which only contains the .gitignore
file. Update .gitignore file to skip autogenerated files.
4) include <config.h> whenever required.
5) Minor adjustments to scanner.l and parser_bison.y to compile cleanly
with autotools.
6) Add %option outfile=lex.yy.c to scanner.l, otherwise I hit this error
here:
gcc -DHAVE_CONFIG_H -I. -I.. -I../include -DDEFAULT_INCLUDE_PATH="\"/usr/etc\"" -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wsign-compare -Winit-self -Wformat-nonliteral -Wformat-security -Wmissing-format-attribute -Wcast-align -Wundef -Wbad-function-cast -g -O2 -MT mnl.o -MD -MP -MF $depbase.Tpo -c -o mnl.o mnl.c &&\
mv -f $depbase.Tpo $depbase.Po
/bin/sh ../build-aux/ylwrap scanner.l lex.yy.c scanner.c -- flex
make[3]: *** [scanner.c] Error 1
make[3]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables'
make: *** [all] Error 2
7) Add Makefile.am for include/ (contributed by Giorgio Dal Molin).
The doc/ and files/ conversion to automake will come in follow up
patches but 'make distcheck' already works.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Don't display "In file included from internal:0:0-0:" for errors occuring
in a parsed file.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
For errors starting at column 0, we must not subtract 1 to avoid underflow.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch migrates nft to use the libnftables library, that is used
by the iptables over nftables compat utility as well. Most of the
conversion was pretty straight forward. Some small significant changes
happened in the handling of set element and immediate data abstraction
that libnl provides. libnftables is a bit more granular since it splits
the struct nfnl_nft_data into three attributes: verdict, chain and plain
data (used in maps).
I have added a new file src/mnl.c that contains the low level netlink
communication that now resides in nftables source tree instead of
the library. This should help to implement the batching support using
libmnl in follow up patches.
I also spent some significant amount of time running my tests to make
sure that we don't increase the number of bugs that we already have
(I plan to provide a list of those that I have detected and diagnosed,
so anyone else can help us to fix them).
As a side effect, this change should also prepare the ground for
JSON and XML support anytime soon.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
