diff options
| author | Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> | 2013-05-22 00:33:25 +0000 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-05-23 12:34:13 +0200 |
| commit | 4d6045630bb90182abf553df1b7f2764a24620b0 (patch) | |
| tree | 38f1f95d7f8adc073ded4aefb98a29bf7fcec164 /test | |
| parent | 51370f0eedb1c8167ab2c340d2a53f0d9f02509c (diff) | |
examples: XML parsing examples
Some code snipplets to add tables/chain/rules using the XML representation.
The examples contains:
* A binary to parse/add the object using libnftables.
* A shellscript to easily call that binary, doing some tests.
* table/chain/rule sample XML file.
I included my name in new files, but I don't know if this is correct. Please let me know.
Instructions:
$ cd examples/ ; make nft-table-xml-add
# cd test/ ; ./nft-table-xml-add.sh
NOTE: Some kernel changes are required to allow reinsert exactly what is printed (handle handling, flags..)
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'test')
| -rwxr-xr-x | test/nft-chain-xml-add.sh | 123 | ||||
| -rwxr-xr-x | test/nft-rule-xml-add.sh | 132 | ||||
| -rwxr-xr-x | test/nft-table-xml-add.sh | 75 |
3 files changed, 330 insertions, 0 deletions
diff --git a/test/nft-chain-xml-add.sh b/test/nft-chain-xml-add.sh new file mode 100755 index 0000000..d1bd839 --- /dev/null +++ b/test/nft-chain-xml-add.sh @@ -0,0 +1,123 @@ +#!/bin/bash + +# +# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# + +# This is a small testbench for adding nftables chains to kernel +# in XML format. + +BINARY="../examples/nft-chain-xml-add" +NFT=$( which nft ) +MKTEMP=$( which mktemp) +TMPFILE=$( $MKTEMP ) + +if [ ! -x "$BINARY" ] ; then + echo "E: Binary not found $BINARY" + exit 1 +fi + +if [ ! -x "$MKTEMP" ] ; then + echo "E: mktemp not found and is neccesary" + exit 1 +fi + +if [ ! -w "$TMPFILE" ] ; then + echo "E: Unable to create temp file via mktemp" + exit 1 +fi + +[ ! -x "$NFT" ] && echo "W: nftables main binary not found but continuing anyway $NFT" + +XML="<chain name=\"test1\" handle=\"100\" bytes=\"123\" packets=\"321\" version=\"0\"> + <properties> + <type>filter</type> + <table>filter</table> + <prio>0</prio> + <use>0</use> + <hooknum>2</hooknum> + <policy>1</policy> + <family>2</family> + </properties> +</chain>" + +$NFT delete chain ip filter test1 2>/dev/null >&2 +echo $XML > $TMPFILE +if ! $BINARY "$TMPFILE" ; then + echo "E: Unable to add XML:" + echo "$XML" + exit 1 +fi + +# This is valid (as long as the table exist) +XML="<chain name=\"test2\" handle=\"101\" bytes=\"59\" packets=\"1\" version=\"0\"> + <properties> + <type>filter</type> + <table>filter</table> + <prio>1</prio> + <use>0</use> + <hooknum>4</hooknum> + <policy>1</policy> + <family>10</family> + </properties> +</chain>" + +$NFT delete chain ip6 filter test2 2>/dev/null >&2 +echo $XML > $TMPFILE +if ! $BINARY "$TMPFILE" ; then + echo "E: Unable to add XML:" + echo "$XML" + rm -rf $TMPFILE 2>/dev/null + exit 1 +fi + +# This is valid (as long as the table exist) +XML="<chain name=\"test3\" handle=\"102\" bytes=\"51231239\" packets=\"1123123123\" version=\"0\"> + <properties> + <type>filter</type> + <table>filter</table> + <prio>0</prio> + <use>0</use> + <hooknum>4</hooknum> + <policy>1</policy> + <family>2</family> + </properties> +</chain>" + +$NFT delete chain ip6 filter test3 2>/dev/null >&2 +echo $XML > $TMPFILE +if ! $BINARY "$TMPFILE" ; then + echo "E: Unable to add XML:" + echo "$XML" + rm -rf $TMPFILE 2>/dev/null + exit 1 +fi + +# This is invalid +XML="<chain name=\"XXXX\" handle=\"XXXX\" bytes=\"XXXXXXX\" packets=\"XXXXXXX\" > + <properties> + <flags>asdasd</flags> + <type>filter</type> + <table>filter</table> + <prio>asdasd</prio> + <use>asdasd</use> + <hooknum>asdasd</hooknum> + <policy>asdasd</policy> + <family>asdasd</family> + </properties> + </chain>" + +if $BINARY "$XML" 2>/dev/null; then + echo "E: Accepted invalid XML:" + echo "$XML" + rm -rf $TMPFILE 2>/dev/null + exit 1 +fi + +rm -rf $TMPFILE 2>/dev/null +echo "I: Test OK" diff --git a/test/nft-rule-xml-add.sh b/test/nft-rule-xml-add.sh new file mode 100755 index 0000000..426b975 --- /dev/null +++ b/test/nft-rule-xml-add.sh @@ -0,0 +1,132 @@ +#!/bin/bash + +# +# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. + +# This is a small testbench for adding nftables rules to kernel +# in XML format. + +BINARY="../examples/nft-rule-xml-add" +NFT="$( which nft )" +MKTEMP="$( which mktemp )" +TMPFILE="$( $MKTEMP )" + +if [ ! -x "$BINARY" ] ; then + echo "E: Binary not found $BINARY" + exit 1 +fi + +if [ ! -x "$MKTEMP" ] ; then + echo "E: mktemp not found. Is mandatory." + exit 1 +fi + +if [ ! -w "$TMPFILE" ] ; then + echo "E: Unable to create tempfile with mktemp" + exit 1 +fi + +[ ! -x "$NFT" ] && echo "W: nftables main binary not found but continuing anyway $NFT" + +XML="<rule family=\"2\" table=\"filter\" chain=\"INPUT\" handle=\"100\" version=\"0\"> + <rule_flags>0</rule_flags> + <flags>127</flags> + <compat_flags>0</compat_flags> + <compat_proto>0</compat_proto> + <expr type=\"meta\"> + <dreg>1</dreg> + <key>4</key> + </expr> + <expr type=\"cmp\"> + <sreg>1</sreg> + <op>eq</op> + <cmpdata> + <data_reg type=\"value\"> + <len>1</len> + <data0>0x04000000</data0> + </data_reg> + </cmpdata> + </expr> + <expr type=\"payload\"> + <dreg>1</dreg> + <base>1</base> + <offset>12</offset> + <len>4</len> + </expr> + <expr type=\"cmp\"> + <sreg>1</sreg> + <op>eq</op> + <cmpdata> + <data_reg type=\"value\"> + <len>1</len> + <data0>0x96d60496</data0> + </data_reg> + </cmpdata> + </expr> + <expr type=\"payload\"> + <dreg>1</dreg> + <base>1</base> + <offset>16</offset> + <len>4</len> + </expr> + <expr type=\"cmp\"> + <sreg>1</sreg> + <op>eq</op> + <cmpdata> + <data_reg type=\"value\"> + <len>1</len> + <data0>0x96d60329</data0> + </data_reg> + </cmpdata> + </expr> + <expr type=\"payload\"> + <dreg>1</dreg> + <base>1</base> + <offset>9</offset> + <len>1</len> + </expr> + <expr type=\"cmp\"> + <sreg>1</sreg> + <op>eq</op> + <cmpdata> + <data_reg type=\"value\"> + <len>1</len> + <data0>0x06000000</data0> + </data_reg> + </cmpdata> + </expr> + <expr type=\"match\"> + <name>state</name> + <rev>0</rev> + <info> + </info> + </expr> + <expr type=\"counter\"> + <pkts>123123</pkts> + <bytes>321321</bytes> + </expr> + <expr type=\"target\"> + <name>LOG</name> + <rev>0</rev> + <info> + </info> + </expr> +</rule>" + +$NFT add table filter 2>/dev/null >&2 +$NFT add chain filter INPUT 2>/dev/null >&2 + +echo $XML > $TMPFILE +if ! $BINARY "$TMPFILE" ; then + echo "E: Unable to add XML." + rm -rf $TMPFILE 2>/dev/null + exit 1 +fi + +rm -rf $TMPFILE 2>/dev/null +echo "I: Test OK" diff --git a/test/nft-table-xml-add.sh b/test/nft-table-xml-add.sh new file mode 100755 index 0000000..2c55edc --- /dev/null +++ b/test/nft-table-xml-add.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +# +# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# + +# This is a small testbench for adding nftables tables to kernel +# in XML format. + +BINARY="../examples/nft-table-xml-add" +NFT="$( which nft )" +MKTEMP="$( which mktemp)" +TMPFILE="$( $MKTEMP )" + +if [ ! -x "$BINARY" ] ; then + echo "E: Binary not found $BINARY" + exit 1 +fi + +if [ ! -x "$MKTEMP" ] ; then + echo "E: mktemp not found and is neccesary" + exit 1 +fi + +if [ ! -w "$TMPFILE" ] ; then + echo "E: Unable to create temp file via mktemp" + exit 1 +fi + + +if [ ! -x "$NFT" ] ; then + echo "W: nftables main binary not found but continuing anyway $NFT" +fi + +# This is valid +XML="<table name=\"filter_test\" version=\"0\"> + <properties> + <family>2</family> + <table_flags>0</table_flags> + </properties> +</table>" + +$NFT delete table filter_test 2>/dev/null >&2 +echo $XML > $TMPFILE +if ! $BINARY "$TMPFILE" ; then + echo "E: Unable to add XML:" + echo "$XML" + rm -rf $TMPFILE 2>/dev/null + exit 1 +fi + +# This is valid +XML="<table name=\"filter6_test\" version=\"0\"> + <properties> + <family>10</family> + <table_flags>0</table_flags> + </properties> +</table>" + +$NFT delete table filter6_test 2>/dev/null >&2 +echo $XML > $TMPFILE +if ! $BINARY "$TMPFILE" ; then + echo "E: Unable to add XML:" + echo "$XML" + rm -rf $TMPFILE 2>/dev/null + exit 1 +fi + +rm -rf $TMPFILE 2>/dev/null +echo "I: Test OK" |