diff options
| author | Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> | 2013-05-23 12:03:04 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-05-23 12:34:08 +0200 |
| commit | 51370f0eedb1c8167ab2c340d2a53f0d9f02509c (patch) | |
| tree | c3c59e1ecd89cad380204fec6a92cf418cfb5ca6 /src/expr | |
| parent | 3231f64ee7bc4ba56e814611f306320b48e9b91d (diff) | |
src: add support for XML parsing
This patch adds capabilities for parsing a XML table/chain/rule.
Some comments:
* The XML data is case sensitive
(so <chain>asd</chain> != <chain>ASD</chain> != <CHAIN>asd</CHAIN>)
* All exported functions receive XML and return an object (table|chain|rule).
* To compile the lib with XML parsing support, run './configure --with-xml-parsing'
* XML parsing is done with libmxml (http://minixml.org). XML parsing depends
on this external lib, this dependency is optional at compile time.
NOTE: expr/target and expr/match binary data are exported.
[ Fixed to compile without --with-xml-parsing --pablo ]
Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
Diffstat (limited to 'src/expr')
| -rw-r--r-- | src/expr/bitwise.c | 111 | ||||
| -rw-r--r-- | src/expr/cmp.c | 93 | ||||
| -rw-r--r-- | src/expr/counter.c | 62 | ||||
| -rw-r--r-- | src/expr/data_reg.c | 247 | ||||
| -rw-r--r-- | src/expr/immediate.c | 102 | ||||
| -rw-r--r-- | src/expr/lookup.c | 78 | ||||
| -rw-r--r-- | src/expr/match.c | 60 | ||||
| -rw-r--r-- | src/expr/meta.c | 67 | ||||
| -rw-r--r-- | src/expr/nat.c | 127 | ||||
| -rw-r--r-- | src/expr/payload.c | 89 | ||||
| -rw-r--r-- | src/expr/target.c | 63 |
11 files changed, 1091 insertions, 8 deletions
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c index ddcf6a7..9ebe3dc 100644 --- a/src/expr/bitwise.c +++ b/src/expr/bitwise.c @@ -15,6 +15,7 @@ #include <stdint.h> #include <string.h> /* for memcpy */ #include <arpa/inet.h> +#include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> #include <libnftables/expr.h> @@ -196,6 +197,115 @@ nft_rule_expr_bitwise_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int +nft_rule_expr_bitwise_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_bitwise *bitwise = (struct nft_expr_bitwise *)e; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + mxml_node_t *save = NULL; + uint64_t tmp; + union nft_data_reg data_regtmp; + char *endptr = NULL; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("bitwise", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* get and set <sreg> */ + node = mxmlFindElement(tree, tree, "sreg", NULL, NULL, + MXML_DESCEND_FIRST); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + bitwise->sreg = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_BITWISE_SREG); + + /* get and set <dreg> */ + node = mxmlFindElement(tree, tree, "dreg", NULL, NULL, MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + bitwise->dreg = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_BITWISE_DREG); + + /* Get and set <mask> */ + node = mxmlFindElement(tree, tree, "mask", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + /* hack for mxmSaveAllocString to print just the current node */ + save = node->next; + node->next = NULL; + if (nft_data_reg_xml_parse(&data_regtmp, + mxmlSaveAllocString(node, MXML_NO_CALLBACK)) < 0) { + mxmlDelete(tree); + return -1; + } + node->next = save; + + memcpy(&bitwise->mask.val, data_regtmp.val, data_regtmp.len); + bitwise->mask.len = data_regtmp.len; + e->flags |= (1 << NFT_EXPR_BITWISE_MASK); + + /* Get and set <xor> */ + node = mxmlFindElement(tree, tree, "xor", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + /* hack for mxmSaveAllocString to print just the current node */ + save = node->next; + node->next = NULL; + if (nft_data_reg_xml_parse(&data_regtmp, + mxmlSaveAllocString(node, MXML_NO_CALLBACK)) < 0) { + mxmlDelete(tree); + return -1; + } + + memcpy(&bitwise->xor.val, data_regtmp.val, data_regtmp.len); + bitwise->xor.len = data_regtmp.len; + e->flags |= (1 << NFT_EXPR_BITWISE_XOR); + + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + +static int nft_rule_expr_bitwise_snprintf_xml(char *buf, size_t size, struct nft_expr_bitwise *bitwise) { @@ -280,4 +390,5 @@ struct expr_ops expr_ops_bitwise = { .parse = nft_rule_expr_bitwise_parse, .build = nft_rule_expr_bitwise_build, .snprintf = nft_rule_expr_bitwise_snprintf, + .xml_parse = nft_rule_expr_bitwise_xml_parse, }; diff --git a/src/expr/cmp.c b/src/expr/cmp.c index 3de849a..673f3e0 100644 --- a/src/expr/cmp.c +++ b/src/expr/cmp.c @@ -15,6 +15,7 @@ #include <stdint.h> #include <string.h> #include <arpa/inet.h> +#include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> @@ -166,6 +167,97 @@ static char *expr_cmp_str[] = { [NFT_CMP_GTE] = "gte", }; +static int nft_rule_expr_cmp_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_cmp *cmp = (struct nft_expr_cmp *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + mxml_node_t *save = NULL; + union nft_data_reg data_regtmp; + uint64_t tmp; + char *endptr; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("cmp", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get and set <sreg>. Is not mandatory */ + node = mxmlFindElement(tree, tree, "sreg", NULL, NULL, + MXML_DESCEND_FIRST); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT8_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + cmp->sreg = (uint8_t)tmp; + e->flags |= (1 << NFT_EXPR_CMP_SREG); + } + + /* Get and set <op>. Is not mandatory*/ + node = mxmlFindElement(tree, tree, "op", NULL, NULL, MXML_DESCEND); + if (node != NULL) { + if (strcmp(node->child->value.opaque, "eq") == 0) { + cmp->op = NFT_CMP_EQ; + } else if (strcmp(node->child->value.opaque, "neq") == 0) { + cmp->op = NFT_CMP_NEQ; + } else if (strcmp(node->child->value.opaque, "lt") == 0) { + cmp->op = NFT_CMP_LT; + } else if (strcmp(node->child->value.opaque, "lte") == 0) { + cmp->op = NFT_CMP_LTE; + } else if (strcmp(node->child->value.opaque, "gt") == 0) { + cmp->op = NFT_CMP_GT; + } else if (strcmp(node->child->value.opaque, "gte") == 0) { + cmp->op = NFT_CMP_GTE; + } else { + /* If <op> is present, a valid value is mandatory */ + mxmlDelete(tree); + return -1; + } + e->flags |= (1 << NFT_EXPR_CMP_OP); + } + + /* Get and set <cmpdata>. Is not mandatory */ + node = mxmlFindElement(tree, tree, "cmpdata", NULL, NULL, + MXML_DESCEND); + if (node != NULL) { + /* hack for mxmSaveAllocString to print just the current node */ + save = node->next; + node->next = NULL; + + if (nft_data_reg_xml_parse(&data_regtmp, + mxmlSaveAllocString(node, MXML_NO_CALLBACK)) < 0) { + mxmlDelete(tree); + return -1; + } + + node->next = save; + + memcpy(&cmp->data.val, data_regtmp.val, data_regtmp.len); + cmp->data.len = data_regtmp.len; + e->flags |= (1 << NFT_EXPR_CMP_DATA); + } + + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + static int nft_rule_expr_cmp_snprintf_xml(char *buf, size_t size, struct nft_expr_cmp *cmp) { @@ -227,4 +319,5 @@ struct expr_ops expr_ops_cmp = { .parse = nft_rule_expr_cmp_parse, .build = nft_rule_expr_cmp_build, .snprintf = nft_rule_expr_cmp_snprintf, + .xml_parse = nft_rule_expr_cmp_xml_parse, }; diff --git a/src/expr/counter.c b/src/expr/counter.c index 550d56d..633db3e 100644 --- a/src/expr/counter.c +++ b/src/expr/counter.c @@ -12,6 +12,7 @@ #include <stdio.h> #include <stdint.h> #include <arpa/inet.h> +#include <errno.h> #include <linux/netfilter/nf_tables.h> @@ -126,6 +127,66 @@ nft_rule_expr_counter_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int +nft_rule_expr_counter_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_counter *ctr = (struct nft_expr_counter *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + char *endptr; + uint64_t tmp; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("counter", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* get and set <pkts>. Is not mandatory*/ + node = mxmlFindElement(tree, tree, "pkts", NULL, NULL, + MXML_DESCEND_FIRST); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp == UINT64_MAX || tmp < 0 || *endptr ) { + mxmlDelete(tree); + return -1; + } + + ctr->pkts = (uint64_t)tmp; + e->flags |= (1 << NFT_EXPR_CTR_PACKETS); + } + + /* get and set <bytes> */ + node = mxmlFindElement(tree, tree, "bytes", NULL, NULL, + MXML_DESCEND); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp == UINT64_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + ctr->bytes = (uint64_t)tmp; + e->flags |= (1 << NFT_EXPR_CTR_BYTES); + } + + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + +static int nft_rule_expr_counter_snprintf(char *buf, size_t len, uint32_t type, uint32_t flags, struct nft_rule_expr *e) { @@ -153,4 +214,5 @@ struct expr_ops expr_ops_counter = { .parse = nft_rule_expr_counter_parse, .build = nft_rule_expr_counter_build, .snprintf = nft_rule_expr_counter_snprintf, + .xml_parse = nft_rule_expr_counter_xml_parse, }; diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c index 78c7d49..c0a048c 100644 --- a/src/expr/data_reg.c +++ b/src/expr/data_reg.c @@ -12,7 +12,9 @@ #include <stdio.h> #include <stdint.h> #include <string.h> +#include <limits.h> #include <arpa/inet.h> +#include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter.h> @@ -23,10 +25,244 @@ #include "data_reg.h" #include "internal.h" -static int nft_data_reg_value_snprintf_xml(char *buf, size_t size, - union nft_data_reg *reg, - uint32_t flags) +#ifdef XML_PARSING +static int nft_data_reg_verdict_xml_parse(union nft_data_reg *reg, char *xml) { + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + char *endptr; + long int tmp; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + node = mxmlFindElement(tree, tree, "data_reg", NULL, NULL, + MXML_DESCEND_FIRST); + + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + /* Get and validate <data_reg type="verdict" >*/ + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp(mxmlElementGetAttr(tree, "type"), "verdict") != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get and set <verdict> */ + node = mxmlFindElement(tree, tree, "verdict", NULL, NULL, + MXML_DESCEND_FIRST); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + errno = 0; + tmp = strtoll(node->child->value.opaque, &endptr, 10); + if (tmp > INT_MAX || tmp < INT_MIN || errno != 0 + || strlen(endptr) > 0) { + mxmlDelete(tree); + return -1; + } + + reg->verdict = tmp; + + mxmlDelete(tree); + return 0; + errno = EOPNOTSUPP; + return -1; +} + +static int nft_data_reg_chain_xml_parse(union nft_data_reg *reg, char *xml) +{ + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + node = mxmlFindElement(tree, tree, "data_reg", NULL, NULL, + MXML_DESCEND_FIRST); + + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + /* Get and validate <data_reg type="chain" >*/ + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp(mxmlElementGetAttr(tree, "type"), "chain") != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get and set <chain> */ + node = mxmlFindElement(tree, tree, "chain", NULL, NULL, MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + /* no max len value to validate? */ + if (strlen(node->child->value.opaque) < 1) { + mxmlDelete(tree); + return -1; + } + + if (reg->chain) + free(reg->chain); + + reg->chain = strdup(node->child->value.opaque); + + mxmlDelete(tree); + return 0; +} + +static int nft_data_reg_value_xml_parse(union nft_data_reg *reg, char *xml) +{ + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + int i, len; + int64_t tmp; + uint64_t utmp; + char *endptr; + char node_name[6]; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + node = mxmlFindElement(tree, tree, "data_reg", NULL, NULL, + MXML_DESCEND_FIRST); + + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + /* + * <data_reg type="value"> + * <len>4</len> + * <data0>0xc09a002a</data0> + * <data1>0x2700cac1</data1> + * <data2>0x00000000</data2> + * <data3>0x08000000</data3> + * </data_reg> + */ + + /* Get and validate <data_reg type="value" ... >*/ + if (mxmlElementGetAttr(node, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp(mxmlElementGetAttr(node, "type"), "value") != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get <len> */ + node = mxmlFindElement(tree, tree, "len", NULL, NULL, MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + tmp = strtoll(node->child->value.opaque, &endptr, 10); + if (tmp > INT64_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + /* maybe also (len < 1 || len > 4) */ + len = tmp; + + /* Get and set <dataN> */ + for (i = 0; i < len; i++) { + sprintf(node_name, "data%d", i); + + node = mxmlFindElement(tree, tree, node_name, NULL, + NULL, MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + utmp = strtoull(node->child->value.opaque, &endptr, 16); + if (utmp == UINT64_MAX || utmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + reg->val[i] = tmp; + } + + reg->len = sizeof(reg->val); + + mxmlDelete(tree); + return 0; + errno = EOPNOTSUPP; + return -1; +} +#endif + +int nft_data_reg_xml_parse(union nft_data_reg *reg, char *xml) +{ +#ifdef XML_PARSING + mxml_node_t *node = NULL; + mxml_node_t *tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + + if (tree == NULL) + return -1; + + node = mxmlFindElement(tree, tree, "data_reg", NULL, NULL, + MXML_DESCEND_FIRST); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + /* Get <data_reg type="xxx" ... >*/ + if (mxmlElementGetAttr(node, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + /* Select what type of parsing is needed */ + if (strcmp(mxmlElementGetAttr(node, "type"), "value") == 0) { + mxmlDelete(tree); + return nft_data_reg_value_xml_parse(reg, xml); + } else if (strcmp(mxmlElementGetAttr(node, "type"), "verdict") == 0) { + mxmlDelete(tree); + return nft_data_reg_verdict_xml_parse(reg, xml); + } else if (strcmp(mxmlElementGetAttr(node, "type"), "chain") == 0) { + mxmlDelete(tree); + return nft_data_reg_chain_xml_parse(reg, xml); + } + + mxmlDelete(tree); + return -1; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + +static +int nft_data_reg_value_snprintf_xml(char *buf, size_t size, + union nft_data_reg *reg, uint32_t flags) +{ +#ifdef XML_PARSING int len = size, offset = 0, ret, i, j; uint8_t *tmp; int data_len = reg->len/sizeof(uint32_t); @@ -56,6 +292,10 @@ static int nft_data_reg_value_snprintf_xml(char *buf, size_t size, SNPRINTF_BUFFER_SIZE(ret, size, len, offset); return offset; +#else + errno = EOPNOTSUPP; + return -1; +#endif } static int @@ -251,3 +491,4 @@ int nft_parse_data(union nft_data_reg *data, struct nlattr *attr, int *type) return ret; } + diff --git a/src/expr/immediate.c b/src/expr/immediate.c index 10f7793..7cfb4bf 100644 --- a/src/expr/immediate.c +++ b/src/expr/immediate.c @@ -13,7 +13,7 @@ #include <stdint.h> #include <string.h> #include <arpa/inet.h> - +#include <errno.h> #include "internal.h" #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> @@ -196,6 +196,105 @@ nft_rule_expr_immediate_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int +nft_rule_expr_immediate_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_immediate *imm = (struct nft_expr_immediate *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + mxml_node_t *save = NULL; + union nft_data_reg data_regtmp; + uint64_t tmp; + char *endptr; + + /* load the tree */ + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("immediate", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get and set <dreg>. Is mandatory */ + node = mxmlFindElement(tree, tree, "dreg", NULL, NULL, + MXML_DESCEND_FIRST); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + imm->dreg = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_IMM_DREG); + + /* Get and set <immdata>. Is mandatory */ + node = mxmlFindElement(tree, tree, "immdata", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + /* hack for mxmSaveAllocString to print just the current node */ + save = node->next; + node->next = NULL; + + if (nft_data_reg_xml_parse(&data_regtmp, + mxmlSaveAllocString(node, MXML_NO_CALLBACK)) < 0) { + mxmlDelete(tree); + return -1; + } + node->next = save; + + /* data_reg type switch */ + node = mxmlFindElement(tree, tree, "data_reg", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + if (mxmlElementGetAttr(node, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp(mxmlElementGetAttr(node, "type"), "value") == 0) { + memcpy(&imm->data.val, data_regtmp.val, data_regtmp.len); + imm->data.len = data_regtmp.len; + e->flags |= (1 << NFT_EXPR_IMM_DATA); + } else if (strcmp(mxmlElementGetAttr(node, "type"), "verdict") == 0) { + imm->data.verdict = data_regtmp.verdict; + e->flags |= (1 << NFT_EXPR_IMM_VERDICT); + } else if (strcmp(mxmlElementGetAttr(node, "type"), "chain") == 0) { + if (imm->data.chain) + free(imm->data.chain); + + imm->data.chain = strdup(data_regtmp.chain); + e->flags |= (1 << NFT_EXPR_IMM_CHAIN); + } + + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + +static int nft_rule_expr_immediate_snprintf_xml(char *buf, size_t len, struct nft_rule_expr *e, uint32_t flags) { @@ -282,4 +381,5 @@ struct expr_ops expr_ops_immediate = { .parse = nft_rule_expr_immediate_parse, .build = nft_rule_expr_immediate_build, .snprintf = nft_rule_expr_immediate_snprintf, + .xml_parse = nft_rule_expr_immediate_xml_parse, }; diff --git a/src/expr/lookup.c b/src/expr/lookup.c index 1046615..6d2b9a2 100644 --- a/src/expr/lookup.c +++ b/src/expr/lookup.c @@ -15,6 +15,7 @@ #include <stdint.h> #include <string.h> /* for memcpy */ #include <arpa/inet.h> +#include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> #include <libnftables/rule.h> @@ -151,6 +152,82 @@ nft_rule_expr_lookup_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int +nft_rule_expr_lookup_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_lookup *lookup = (struct nft_expr_lookup *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + uint64_t tmp; + char *endptr; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("lookup", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* get and set <set>. Is mandatory */ + node = mxmlFindElement(tree, tree, "set", NULL, NULL, + MXML_DESCEND_FIRST); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + memcpy(lookup->set_name, node->child->value.opaque, IFNAMSIZ); + lookup->set_name[IFNAMSIZ-1] = '\0'; + e->flags |= (1 << NFT_EXPR_LOOKUP_SET); + + /* get and set <sreg>. Is mandatory */ + node = mxmlFindElement(tree, tree, "sreg", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + errno = 0; + + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + lookup->sreg = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_LOOKUP_SREG); + + /* get and set <dreg>. Isn't mandatory */ + node = mxmlFindElement(tree, tree, "dreg", NULL, NULL, + MXML_DESCEND); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + lookup->dreg = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_LOOKUP_DREG); + } + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + +static int nft_rule_expr_lookup_snprintf_xml(char *buf, size_t size, struct nft_expr_lookup *l) { @@ -202,4 +279,5 @@ struct expr_ops expr_ops_lookup = { .parse = nft_rule_expr_lookup_parse, .build = nft_rule_expr_lookup_build, .snprintf = nft_rule_expr_lookup_snprintf, + .xml_parse = nft_rule_expr_lookup_xml_parse, }; diff --git a/src/expr/match.c b/src/expr/match.c index 57c5ab9..edb78ea 100644 --- a/src/expr/match.c +++ b/src/expr/match.c @@ -15,7 +15,7 @@ #include <stdint.h> #include <string.h> /* for memcpy */ #include <arpa/inet.h> - +#include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> @@ -184,6 +184,63 @@ static int nft_rule_expr_match_parse(struct nft_rule_expr *e, struct nlattr *att return 0; } +static int nft_rule_expr_match_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_match *mt = (struct nft_expr_match *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + uint64_t tmp; + char *endptr; + + /* load the tree */ + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("match", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* get and set <name>. Not mandatory */ + node = mxmlFindElement(tree, tree, "name", NULL, NULL, + MXML_DESCEND_FIRST); + if (node != NULL) { + memcpy(mt->name, node->child->value.opaque, + XT_EXTENSION_MAXNAMELEN); + mt->name[XT_EXTENSION_MAXNAMELEN-1] = '\0'; + e->flags |= (1 << NFT_EXPR_MT_NAME); + } + + /* get and set <rev>. Not mandatory */ + node = mxmlFindElement(tree, tree, "rev", NULL, NULL, MXML_DESCEND); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + mt->rev = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_MT_REV); + } + + /* mt->info is ignored until other solution is reached */ + + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + static int nft_rule_expr_match_snprintf_xml(char *buf, size_t len, struct nft_expr_match *mt) { @@ -235,4 +292,5 @@ struct expr_ops expr_ops_match = { .parse = nft_rule_expr_match_parse, .build = nft_rule_expr_match_build, .snprintf = nft_rule_expr_match_snprintf, + .xml_parse = nft_rule_expr_match_xml_parse, }; diff --git a/src/expr/meta.c b/src/expr/meta.c index bfc1aa6..6316a49 100644 --- a/src/expr/meta.c +++ b/src/expr/meta.c @@ -12,7 +12,7 @@ #include <stdio.h> #include <stdint.h> #include <arpa/inet.h> - +#include <errno.h> #include <linux/netfilter/nf_tables.h> #include "internal.h" @@ -125,6 +125,70 @@ nft_rule_expr_meta_parse(struct nft_rule_expr *e, struct nlattr *attr) return 0; } +static int nft_rule_expr_meta_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_meta *meta = (struct nft_expr_meta *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + uint64_t tmp; + char *endptr; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("meta", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get and set <dreg>. Is mandatory */ + node = mxmlFindElement(tree, tree, "dreg", NULL, NULL, + MXML_DESCEND_FIRST); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT8_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + meta->dreg = (uint8_t)tmp; + e->flags |= (1 << NFT_EXPR_META_DREG); + + /* Get and set <key>. Is mandatory */ + node = mxmlFindElement(tree, tree, "key", NULL, NULL, MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT8_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + meta->key = (uint8_t)tmp; + e->flags |= (1 << NFT_EXPR_META_KEY); + + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + static int nft_rule_expr_meta_snprintf(char *buf, size_t len, uint32_t type, uint32_t flags, struct nft_rule_expr *e) @@ -154,4 +218,5 @@ struct expr_ops expr_ops_meta = { .parse = nft_rule_expr_meta_parse, .build = nft_rule_expr_meta_build, .snprintf = nft_rule_expr_meta_snprintf, + .xml_parse = nft_rule_expr_meta_xml_parse, }; diff --git a/src/expr/nat.c b/src/expr/nat.c index 56212a7..5d924cf 100644 --- a/src/expr/nat.c +++ b/src/expr/nat.c @@ -14,6 +14,8 @@ #include <stdio.h> #include <stdint.h> +#include <limits.h> +#include <errno.h> #include <arpa/inet.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> @@ -201,6 +203,130 @@ nft_rule_expr_nat_build(struct nlmsghdr *nlh, struct nft_rule_expr *e) htonl(nat->sreg_proto_max)); } + +static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_nat *nat = (struct nft_expr_nat *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + uint64_t tmp; + char *endptr; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("nat", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get and set <type>. Mandatory */ + node = mxmlFindElement(tree, tree, "type", NULL, NULL, + MXML_DESCEND_FIRST); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp(node->child->value.opaque, "NFT_NAT_SNAT") == 0) { + nat->type = NFT_NAT_SNAT; + } else if (strcmp(node->child->value.opaque, "NFT_NAT_DNAT") == 0) { + nat->type = NFT_NAT_DNAT; + } else { + mxmlDelete(tree); + return -1; + } + e->flags |= (1 << NFT_EXPR_NAT_TYPE); + + /* Get and set <family>. Mandatory */ + node = mxmlFindElement(tree, tree, "family", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp(node->child->value.opaque, "AF_INET") == 0) { + nat->family = AF_INET; + } else if (strcmp(node->child->value.opaque, "AF_INET6") == 0) { + nat->family = AF_INET6; + } else { + mxmlDelete(tree); + return -1; + } + + e->flags |= (1 << NFT_EXPR_NAT_FAMILY); + + /* Get and set <sreg_addr_min_v4>. Not mandatory */ + node = mxmlFindElement(tree, tree, "sreg_addr_min_v4", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + nat->sreg_addr_min = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_NAT_REG_ADDR_MIN); + } + + /* Get and set <sreg_addr_max_v4>. Not mandatory */ + node = mxmlFindElement(tree, tree, "sreg_addr_max_v4", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + nat->sreg_addr_max = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_NAT_REG_ADDR_MAX); + } + + /* Get and set <sreg_proto_min>. Not mandatory */ + node = mxmlFindElement(tree, tree, "sreg_proto_min", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + nat->sreg_proto_min = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_NAT_REG_PROTO_MIN); + } + + /* Get and set <sreg_proto_max>. Not mandatory */ + node = mxmlFindElement(tree, tree, "sreg_proto_max", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + nat->sreg_proto_max = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_NAT_REG_PROTO_MAX); + } + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + static int nft_rule_expr_nat_snprintf_xml(char *buf, size_t size, struct nft_rule_expr *e) @@ -305,4 +431,5 @@ struct expr_ops expr_ops_nat = { .parse = nft_rule_expr_nat_parse, .build = nft_rule_expr_nat_build, .snprintf = nft_rule_expr_nat_snprintf, + .xml_parse = nft_rule_expr_nat_xml_parse, }; diff --git a/src/expr/payload.c b/src/expr/payload.c index 091078b..ecb1bce 100644 --- a/src/expr/payload.c +++ b/src/expr/payload.c @@ -13,8 +13,9 @@ #include <stdio.h> #include <stdint.h> +#include <limits.h> #include <arpa/inet.h> - +#include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> @@ -165,6 +166,91 @@ nft_rule_expr_payload_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int +nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_payload *payload = (struct nft_expr_payload *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + uint64_t tmp; + char *endptr; + + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("payload", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get and set <dreg>. Not mandatory */ + node = mxmlFindElement(tree, tree, "dreg", NULL, NULL, + MXML_DESCEND_FIRST); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + payload->dreg = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_PAYLOAD_DREG); + } + + /* Get and set <base>. Not mandatory */ + node = mxmlFindElement(tree, tree, "base", NULL, NULL, MXML_DESCEND); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + payload->base = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_PAYLOAD_BASE); + } + + /* Get and set <offset>. Not mandatory */ + node = mxmlFindElement(tree, tree, "offset", NULL, NULL, + MXML_DESCEND); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + payload->offset = (unsigned int)tmp; + e->flags |= (1 << NFT_EXPR_PAYLOAD_OFFSET); + } + + /* Get and set <len>. Not mandatory */ + node = mxmlFindElement(tree, tree, "len", NULL, NULL, MXML_DESCEND); + if (node != NULL) { + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + payload->len = (unsigned int)tmp; + e->flags |= (1 << NFT_EXPR_PAYLOAD_LEN); + } + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + +static int nft_rule_expr_payload_snprintf(char *buf, size_t len, uint32_t type, uint32_t flags, struct nft_rule_expr *e) { @@ -197,4 +283,5 @@ struct expr_ops expr_ops_payload = { .parse = nft_rule_expr_payload_parse, .build = nft_rule_expr_payload_build, .snprintf = nft_rule_expr_payload_snprintf, + .xml_parse = nft_rule_expr_payload_xml_parse, }; diff --git a/src/expr/target.c b/src/expr/target.c index d3de8e8..6652c47 100644 --- a/src/expr/target.c +++ b/src/expr/target.c @@ -15,7 +15,7 @@ #include <stdint.h> #include <string.h> /* for memcpy */ #include <arpa/inet.h> - +#include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> @@ -184,6 +184,66 @@ static int nft_rule_expr_target_parse(struct nft_rule_expr *e, struct nlattr *at return 0; } +static int +nft_rule_expr_target_xml_parse(struct nft_rule_expr *e, char *xml) +{ +#ifdef XML_PARSING + struct nft_expr_target *tg = (struct nft_expr_target *)e->data; + mxml_node_t *tree = NULL; + mxml_node_t *node = NULL; + uint64_t tmp; + char *endptr; + + /* load the tree */ + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); + if (tree == NULL) + return -1; + + if (mxmlElementGetAttr(tree, "type") == NULL) { + mxmlDelete(tree); + return -1; + } + + if (strcmp("target", mxmlElementGetAttr(tree, "type")) != 0) { + mxmlDelete(tree); + return -1; + } + + /* Get and set <name>. Optional */ + node = mxmlFindElement(tree, tree, "name", NULL, NULL, + MXML_DESCEND_FIRST); + if (node != NULL) { + memcpy(tg->name, node->child->value.opaque, + XT_EXTENSION_MAXNAMELEN); + tg->name[XT_EXTENSION_MAXNAMELEN-1] = '\0'; + e->flags |= (1 << NFT_EXPR_TG_NAME); + } + + /* Get and set <rev>. Optional */ + node = mxmlFindElement(tree, tree, "rev", NULL, NULL, + MXML_DESCEND); + if (node == NULL) { + errno = 0; + tmp = strtoull(node->child->value.opaque, &endptr, 10); + if (tmp > UINT32_MAX || tmp < 0 || *endptr) { + mxmlDelete(tree); + return -1; + } + + tg->rev = (uint32_t)tmp; + e->flags |= (1 << NFT_EXPR_TG_REV); + } + + /* tg->info is ignored until other solution is reached */ + + mxmlDelete(tree); + return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + static int nft_rule_exp_target_snprintf_xml(char *buf, size_t len, struct nft_expr_target *tg) @@ -235,4 +295,5 @@ struct expr_ops expr_ops_target = { .parse = nft_rule_expr_target_parse, .build = nft_rule_expr_target_build, .snprintf = nft_rule_expr_target_snprintf, + .xml_parse = nft_rule_expr_target_xml_parse, }; |