diff options
217 files changed, 2193 insertions, 1474 deletions
@@ -15,7 +15,7 @@ configure autom4te.cache stamp-h1 aclocal.m4 -libnftables.pc +libnftnl.pc libtool build-aux doxygen.cfg @@ -2,7 +2,7 @@ Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 675 Mass Ave, Cambridge, MA 02139, USA + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -278,8 +278,9 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS - - Appendix: How to Apply These Terms to Your New Programs + + + How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it @@ -305,7 +306,8 @@ the "copyright" line and a pointer to where the full notice is found. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Also add information on how to contact you by electronic and paper mail. diff --git a/Makefile.am b/Makefile.am index 83f176d..4163829 100644 --- a/Makefile.am +++ b/Makefile.am @@ -6,4 +6,4 @@ SUBDIRS = src include examples tests DIST_SUBDIRS = src include examples tests pkgconfigdir = $(libdir)/pkgconfig -pkgconfig_DATA = libnftables.pc +pkgconfig_DATA = libnftnl.pc diff --git a/configure.ac b/configure.ac index b023755..f95b268 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,6 @@ dnl Process this file with autoconf to create configure. -AC_INIT([libnftables], [1.0.0]) +AC_INIT([libnftnl], [1.0.0]) AC_CONFIG_AUX_DIR([build-aux]) AC_CANONICAL_HOST AC_CONFIG_MACRO_DIR([m4]) @@ -16,18 +16,18 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) dnl Dependencies PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.0]) AC_ARG_WITH([xml-parsing], - AS_HELP_STRING([--with-xml-parsing], [XML parsing support]), - [with_xml_parsing="yes"], [with_xml_parsing="no"]) + AS_HELP_STRING([--with-xml-parsing], [XML parsing support])) AC_ARG_WITH([json-parsing], - AS_HELP_STRING([--with-json-parsing], [JSON parsing support]), - [with_json_parsing="yes"], [with_json_parsing="no"]) - -AS_IF([test "x$with_xml_parsing" = "xyes"], [ - PKG_CHECK_MODULES([LIBXML], [mxml >= 2.6]) -]) -AS_IF([test "x$with_json_parsing" = "xyes"], [ - PKG_CHECK_MODULES([LIBJSON], [jansson >= 2.3]) -]) + AS_HELP_STRING([--with-json-parsing], [JSON parsing support])) + +AS_IF([test "x$with_xml_parsing" = "xyes"], + [PKG_CHECK_MODULES([LIBXML], [mxml >= 2.6])], + [with_xml_parsing="no"] +) +AS_IF([test "x$with_json_parsing" = "xyes"], + [PKG_CHECK_MODULES([LIBJSON], [jansson >= 2.3])], + [with_json_parsing="no"] +) AC_PROG_CC AM_PROG_CC_C_O AC_EXEEXT @@ -52,10 +52,10 @@ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ -Wformat=2 -pipe" AC_SUBST([regular_CPPFLAGS]) AC_SUBST([regular_CFLAGS]) -AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/libnftables/Makefile include/linux/Makefile include/linux/netfilter/Makefile examples/Makefile tests/Makefile libnftables.pc doxygen.cfg]) +AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/libnftnl/Makefile include/linux/Makefile include/linux/netfilter/Makefile examples/Makefile tests/Makefile libnftnl.pc doxygen.cfg]) AC_OUTPUT echo " -libnftables configuration: +libnftnl configuration: XML support: ${with_xml_parsing} JSON support: ${with_json_parsing}" diff --git a/doxygen.cfg.in b/doxygen.cfg.in index 9582600..85e8d36 100644 --- a/doxygen.cfg.in +++ b/doxygen.cfg.in @@ -67,7 +67,7 @@ WARN_FORMAT = "$file:$line: $text" WARN_LOGFILE = INPUT = . INPUT_ENCODING = UTF-8 -FILE_PATTERNS = *.c libnftables.h +FILE_PATTERNS = *.c libnftnl.h RECURSIVE = YES EXCLUDE = EXCLUDE_SYMLINKS = NO diff --git a/examples/Makefile.am b/examples/Makefile.am index b909684..b433b2d 100644 --- a/examples/Makefile.am +++ b/examples/Makefile.am @@ -29,82 +29,82 @@ check_PROGRAMS = nft-table-add \ nft-compat-get nft_table_add_SOURCES = nft-table-add.c -nft_table_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_table_xml_add_SOURCES = nft-table-xml-add.c -nft_table_xml_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_xml_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_table_json_add_SOURCES = nft-table-json-add.c -nft_table_json_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_json_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_table_upd_SOURCES = nft-table-upd.c -nft_table_upd_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_upd_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_table_del_SOURCES = nft-table-del.c -nft_table_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_table_get_SOURCES = nft-table-get.c -nft_table_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_chain_add_SOURCES = nft-chain-add.c -nft_chain_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_chain_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_chain_xml_add_SOURCES = nft-chain-xml-add.c -nft_chain_xml_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_chain_xml_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_chain_json_add_SOURCES = nft-chain-json-add.c -nft_chain_json_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS} +nft_chain_json_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS} nft_chain_del_SOURCES = nft-chain-del.c -nft_chain_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_chain_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_chain_get_SOURCES = nft-chain-get.c -nft_chain_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_chain_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_rule_add_SOURCES = nft-rule-add.c -nft_rule_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_rule_insert_SOURCES = nft-rule-insert.c -nft_rule_insert_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} +nft_rule_insert_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_rule_xml_add_SOURCES = nft-rule-xml-add.c -nft_rule_xml_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_xml_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_rule_json_add_SOURCES = nft-rule-json-add.c -nft_rule_json_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_json_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_rule_del_SOURCES = nft-rule-del.c -nft_rule_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_rule_get_SOURCES = nft-rule-get.c -nft_rule_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_events_SOURCES = nft-events.c -nft_events_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_events_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_set_add_SOURCES = nft-set-add.c -nft_set_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_set_json_add_SOURCES = nft-set-json-add.c -nft_set_json_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_json_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_set_del_SOURCES = nft-set-del.c -nft_set_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_set_get_SOURCES = nft-set-get.c -nft_set_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_set_elem_add_SOURCES = nft-set-elem-add.c -nft_set_elem_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_elem_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_set_elem_del_SOURCES = nft-set-elem-del.c -nft_set_elem_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_elem_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_set_elem_get_SOURCES = nft-set-elem-get.c -nft_set_elem_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_elem_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_ruleset_get_SOURCES = nft-ruleset-get.c -nft_ruleset_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_ruleset_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_compat_get_SOURCES = nft-compat-get.c -nft_compat_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_compat_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} diff --git a/examples/nft-chain-add.c b/examples/nft-chain-add.c index 22f9f3b..3edff86 100644 --- a/examples/nft-chain-add.c +++ b/examples/nft-chain-add.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/chain.h> +#include <libnftnl/chain.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-chain-del.c b/examples/nft-chain-del.c index 95a1a7f..c87ab92 100644 --- a/examples/nft-chain-del.c +++ b/examples/nft-chain-del.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/chain.h> +#include <libnftnl/chain.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-chain-get.c b/examples/nft-chain-get.c index 7e162f6..76fa5d9 100644 --- a/examples/nft-chain-get.c +++ b/examples/nft-chain-get.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/chain.h> +#include <libnftnl/chain.h> static int table_cb(const struct nlmsghdr *nlh, void *data) { diff --git a/examples/nft-chain-json-add.c b/examples/nft-chain-json-add.c index 50cb29f..4fd0551 100644 --- a/examples/nft-chain-json-add.c +++ b/examples/nft-chain-json-add.c @@ -25,8 +25,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/chain.h> -#include <libnftables/rule.h> +#include <libnftnl/chain.h> +#include <libnftnl/rule.h> int main(int argc, char *argv[]) { @@ -39,6 +39,7 @@ int main(int argc, char *argv[]) uint16_t family; char json[4096]; char reprint[4096]; + struct nft_parse_err *err; if (argc < 2) { printf("Usage: %s <json-file>\n", argv[0]); @@ -63,10 +64,16 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } + err = nft_parse_err_alloc(); + if (err == NULL) { + perror("error"); + exit(EXIT_FAILURE); + } + close(fd); - if (nft_chain_parse(c, NFT_PARSE_JSON, json) < 0) { - printf("E: Unable to parse JSON file: %s\n", strerror(errno)); + if (nft_chain_parse(c, NFT_PARSE_JSON, json, err) < 0) { + nft_parse_perror("Unable to parse JSON file", err); exit(EXIT_FAILURE); } @@ -82,6 +89,7 @@ int main(int argc, char *argv[]) nft_chain_nlmsg_build_payload(nlh, c); nft_chain_free(c); + nft_parse_err_free(err); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/examples/nft-chain-xml-add.c b/examples/nft-chain-xml-add.c index 03a2950..5d26af6 100644 --- a/examples/nft-chain-xml-add.c +++ b/examples/nft-chain-xml-add.c @@ -23,8 +23,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/chain.h> -#include <libnftables/rule.h> +#include <libnftnl/chain.h> +#include <libnftnl/rule.h> int main(int argc, char *argv[]) { @@ -37,6 +37,7 @@ int main(int argc, char *argv[]) uint16_t family; char xml[4096]; char reprint[4096]; + struct nft_parse_err *err; if (argc < 2) { printf("Usage: %s <xml-file>\n", argv[0]); @@ -49,6 +50,12 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } + err = nft_parse_err_alloc(); + if (err == NULL) { + perror("error"); + exit(EXIT_FAILURE); + } + fd = open(argv[1], O_RDONLY); if (fd < 0) { perror("open"); @@ -63,8 +70,8 @@ int main(int argc, char *argv[]) close(fd); - if (nft_chain_parse(c, NFT_PARSE_XML, xml) < 0) { - printf("E: Unable to parse XML file: %s\n", strerror(errno)); + if (nft_chain_parse(c, NFT_PARSE_XML, xml, err) < 0) { + nft_parse_perror("Unable to parse XML file", err); exit(EXIT_FAILURE); } @@ -80,6 +87,7 @@ int main(int argc, char *argv[]) nft_chain_nlmsg_build_payload(nlh, c); nft_chain_free(c); + nft_parse_err_free(err); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/examples/nft-events.c b/examples/nft-events.c index 29cb659..150346a 100644 --- a/examples/nft-events.c +++ b/examples/nft-events.c @@ -18,9 +18,9 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/table.h> -#include <libnftables/chain.h> -#include <libnftables/rule.h> +#include <libnftnl/table.h> +#include <libnftnl/chain.h> +#include <libnftnl/rule.h> static int table_cb(const struct nlmsghdr *nlh, int type) { diff --git a/examples/nft-rule-add.c b/examples/nft-rule-add.c index f896bc0..dbe93f5 100644 --- a/examples/nft-rule-add.c +++ b/examples/nft-rule-add.c @@ -14,126 +14,178 @@ #include <string.h> #include <stddef.h> /* for offsetof */ #include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> #include <arpa/inet.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> #include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> - -#include <linux/netfilter_ipv4/ipt_LOG.h> -#include <linux/netfilter/xt_iprange.h> - -#include <netinet/ip.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> -static void add_target_log(struct nft_rule_expr *e) +static void add_payload(struct nft_rule *r, uint32_t base, uint32_t dreg, + uint32_t offset, uint32_t len) { - struct ipt_log_info *info; + struct nft_rule_expr *e; - nft_rule_expr_set(e, NFT_EXPR_TG_NAME, "LOG", strlen("LOG")); - nft_rule_expr_set_u32(e, NFT_EXPR_TG_REV, 0); - - info = calloc(1, sizeof(struct ipt_log_info)); - if (info == NULL) - return; + e = nft_rule_expr_alloc("payload"); + if (e == NULL) { + perror("expr payload oom"); + exit(EXIT_FAILURE); + } - sprintf(info->prefix, "test: "); - info->prefix[sizeof(info->prefix)-1] = '\0'; - info->logflags = 0x0f; - info->level = 5; + nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_BASE, base); + nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_DREG, dreg); + nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_OFFSET, offset); + nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_LEN, len); - nft_rule_expr_set(e, NFT_EXPR_TG_INFO, info, sizeof(*info)); + nft_rule_add_expr(r, e); } -static void add_expr_target(struct nft_rule *r) +static void add_cmp(struct nft_rule *r, uint32_t sreg, uint32_t op, + const void *data, uint32_t data_len) { - struct nft_rule_expr *expr; + struct nft_rule_expr *e; - expr = nft_rule_expr_alloc("target"); - if (expr == NULL) - return; + e = nft_rule_expr_alloc("cmp"); + if (e == NULL) { + perror("expr cmp oom"); + exit(EXIT_FAILURE); + } - add_target_log(expr); + nft_rule_expr_set_u32(e, NFT_EXPR_CMP_SREG, sreg); + nft_rule_expr_set_u32(e, NFT_EXPR_CMP_OP, op); + nft_rule_expr_set(e, NFT_EXPR_CMP_DATA, data, data_len); - nft_rule_add_expr(r, expr); + nft_rule_add_expr(r, e); } -static void add_match_iprange(struct nft_rule_expr *e) +static void add_counter(struct nft_rule *r) { - struct xt_iprange_mtinfo *info; - - nft_rule_expr_set(e, NFT_EXPR_MT_NAME, "iprange", strlen("iprange")); - nft_rule_expr_set_u32(e, NFT_EXPR_MT_REV, 1); + struct nft_rule_expr *e; - info = calloc(1, sizeof(struct xt_iprange_mtinfo)); - if (info == NULL) - return; - - info->src_min.ip = info->dst_min.ip = inet_addr("127.0.0.1"); - info->src_max.ip = info->dst_max.ip = inet_addr("127.0.0.1"); - info->flags = IPRANGE_SRC; + e = nft_rule_expr_alloc("counter"); + if (e == NULL) { + perror("expr counter oom"); + exit(EXIT_FAILURE); + } - nft_rule_expr_set(e, NFT_EXPR_MT_INFO, info, sizeof(*info)); + nft_rule_add_expr(r, e); } -static void add_expr_match(struct nft_rule *r) +static struct nft_rule *setup_rule(uint8_t family, const char *table, + const char *chain) { - struct nft_rule_expr *expr; + struct nft_rule *r = NULL; + uint8_t proto; + uint16_t dport; - expr = nft_rule_expr_alloc("match"); - if (expr == NULL) - return; + r = nft_rule_alloc(); + if (r == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } - add_match_iprange(expr); + nft_rule_attr_set(r, NFT_RULE_ATTR_TABLE, table); + nft_rule_attr_set(r, NFT_RULE_ATTR_CHAIN, chain); + nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FAMILY, family); - nft_rule_add_expr(r, expr); -} + proto = IPPROTO_TCP; + add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1, + offsetof(struct iphdr, protocol), sizeof(uint8_t)); + add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &proto, sizeof(uint8_t)); -#define field_sizeof(t, f) (sizeof(((t *)NULL)->f)) + dport = htons(22); + add_payload(r, NFT_PAYLOAD_TRANSPORT_HEADER, NFT_REG_1, + offsetof(struct tcphdr, dest), sizeof(uint16_t)); + add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &dport, sizeof(uint16_t)); -static void add_payload2(struct nft_rule_expr *e) -{ - nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_BASE, - NFT_PAYLOAD_NETWORK_HEADER); - nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_DREG, NFT_REG_1); - nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_OFFSET, - offsetof(struct iphdr, protocol)); - nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_LEN, 1); + add_counter(r); + + return r; } -static void add_payload(struct nft_rule *r) +static int seq; + +static void nft_mnl_batch_put(struct mnl_nlmsg_batch *batch, int type) { - struct nft_rule_expr *expr; + struct nlmsghdr *nlh; + struct nfgenmsg *nfg; - expr = nft_rule_expr_alloc("payload"); - if (expr == NULL) - return; + nlh = mnl_nlmsg_put_header(mnl_nlmsg_batch_current(batch)); + nlh->nlmsg_type = type; + nlh->nlmsg_flags = NLM_F_REQUEST; + nlh->nlmsg_seq = seq++; - add_payload2(expr); + nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg)); + nfg->nfgen_family = AF_INET; + nfg->version = NFNETLINK_V0; + nfg->res_id = NFNL_SUBSYS_NFTABLES; - nft_rule_add_expr(r, expr); + mnl_nlmsg_batch_next(batch); +} + +static int nft_mnl_batch_talk(struct mnl_socket *nl, struct mnl_nlmsg_batch *b) +{ + int ret, fd = mnl_socket_get_fd(nl); + char rcv_buf[MNL_SOCKET_BUFFER_SIZE]; + fd_set readfds; + struct timeval tv = { + .tv_sec = 0, + .tv_usec = 0 + }; + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(b), + mnl_nlmsg_batch_size(b)); + if (ret == -1) + goto err; + + FD_ZERO(&readfds); + FD_SET(fd, &readfds); + + /* receive and digest all the acknowledgments from the kernel. */ + ret = select(fd+1, &readfds, NULL, NULL, &tv); + if (ret == -1) + goto err; + + while (ret > 0 && FD_ISSET(fd, &readfds)) { + ret = mnl_socket_recvfrom(nl, rcv_buf, sizeof(rcv_buf)); + if (ret == -1) + goto err; + + ret = mnl_cb_run(rcv_buf, ret, 0, mnl_socket_get_portid(nl), + NULL, NULL); + if (ret < 0) + goto err; + + ret = select(fd+1, &readfds, NULL, NULL, &tv); + if (ret == -1) + goto err; + + FD_ZERO(&readfds); + FD_SET(fd, &readfds); + } +err: + return ret; } int main(int argc, char *argv[]) { struct mnl_socket *nl; - char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nft_rule *r; struct nlmsghdr *nlh; - uint32_t portid, seq; - struct nft_rule *r = NULL; - int ret, family; + struct mnl_nlmsg_batch *batch; + uint8_t family; + char buf[4096]; if (argc != 4) { - fprintf(stderr, "Usage: %s <family> <table> <chain>\n", - argv[0]); - exit(EXIT_FAILURE); - } - - r = nft_rule_alloc(); - if (r == NULL) { - perror("OOM"); + fprintf(stderr, "Usage: %s <family> <table> <chain>\n", argv[0]); exit(EXIT_FAILURE); } @@ -141,32 +193,12 @@ int main(int argc, char *argv[]) family = NFPROTO_IPV4; else if (strcmp(argv[1], "ip6") == 0) family = NFPROTO_IPV6; - else if (strcmp(argv[1], "bridge") == 0) - family = NFPROTO_BRIDGE; - else if (strcmp(argv[1], "arp") == 0) - family = NFPROTO_ARP; else { - fprintf(stderr, "Unknown family: ip, ip6, bridge, arp\n"); + fprintf(stderr, "Unknown family: ip, ip6\n"); exit(EXIT_FAILURE); } - nft_rule_attr_set(r, NFT_RULE_ATTR_TABLE, argv[2]); - nft_rule_attr_set(r, NFT_RULE_ATTR_CHAIN, argv[3]); - - add_expr_match(r); - add_payload(r); - add_expr_target(r); - - char tmp[1024]; - nft_rule_snprintf(tmp, sizeof(tmp), r, 0, 0); - printf("%s\n", tmp); - - seq = time(NULL); - nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, family, - NLM_F_APPEND|NLM_F_ACK|NLM_F_CREATE, - seq); - nft_rule_nlmsg_build_payload(nlh, r); - nft_rule_free(r); + r = setup_rule(family, argv[2], argv[3]); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { @@ -178,24 +210,29 @@ int main(int argc, char *argv[]) perror("mnl_socket_bind"); exit(EXIT_FAILURE); } - portid = mnl_socket_get_portid(nl); - if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { - perror("mnl_socket_send"); - exit(EXIT_FAILURE); - } + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); - ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); - while (ret > 0) { - ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL); - if (ret <= 0) - break; - ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); - } - if (ret == -1) { - perror("error"); + nft_mnl_batch_put(batch, NFNL_MSG_BATCH_BEGIN); + + nlh = nft_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nft_rule_attr_get_u32(r, NFT_RULE_ATTR_FAMILY), + NLM_F_APPEND|NLM_F_CREATE, seq); + + nft_rule_nlmsg_build_payload(nlh, r); + nft_rule_free(r); + mnl_nlmsg_batch_next(batch); + + nft_mnl_batch_put(batch, NFNL_MSG_BATCH_END); + + if (nft_mnl_batch_talk(nl, batch) < 0) { + perror("Netlink problem"); exit(EXIT_FAILURE); } + + mnl_nlmsg_batch_stop(batch); + mnl_socket_close(nl); return EXIT_SUCCESS; diff --git a/examples/nft-rule-del.c b/examples/nft-rule-del.c index c2b1a70..6f665b0 100644 --- a/examples/nft-rule-del.c +++ b/examples/nft-rule-del.c @@ -19,7 +19,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> +#include <libnftnl/rule.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-rule-get.c b/examples/nft-rule-get.c index f17630b..5803143 100644 --- a/examples/nft-rule-get.c +++ b/examples/nft-rule-get.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> +#include <libnftnl/rule.h> static int table_cb(const struct nlmsghdr *nlh, void *data) { diff --git a/examples/nft-rule-insert.c b/examples/nft-rule-insert.c index 1418127..1b377de 100644 --- a/examples/nft-rule-insert.c +++ b/examples/nft-rule-insert.c @@ -20,8 +20,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> #include <linux/netfilter_ipv4/ipt_LOG.h> #include <linux/netfilter/xt_iprange.h> diff --git a/examples/nft-rule-json-add.c b/examples/nft-rule-json-add.c index 8659081..b33025b 100644 --- a/examples/nft-rule-json-add.c +++ b/examples/nft-rule-json-add.c @@ -25,7 +25,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> +#include <libnftnl/rule.h> int main(int argc, char *argv[]) { @@ -38,6 +38,7 @@ int main(int argc, char *argv[]) uint8_t family; char json[4096]; char reprint[4096]; + struct nft_parse_err *err; if (argc < 2) { printf("Usage: %s <json-file>\n", argv[0]); @@ -63,8 +64,14 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } - if (nft_rule_parse(r, NFT_PARSE_JSON, json) < 0) { - printf("E: Unable to parse JSON file: %s\n", strerror(errno)); + err = nft_parse_err_alloc(); + if (err == NULL) { + perror("error"); + exit(EXIT_FAILURE); + } + + if (nft_rule_parse(r, NFT_PARSE_JSON, json, err) < 0) { + nft_parse_perror("Unable to parse JSON file", err); exit(EXIT_FAILURE); } @@ -80,6 +87,7 @@ int main(int argc, char *argv[]) seq); nft_rule_nlmsg_build_payload(nlh, r); nft_rule_free(r); + nft_parse_err_free(err); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/examples/nft-rule-xml-add.c b/examples/nft-rule-xml-add.c index ce33fe7..dd16922 100644 --- a/examples/nft-rule-xml-add.c +++ b/examples/nft-rule-xml-add.c @@ -25,7 +25,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> +#include <libnftnl/rule.h> int main(int argc, char *argv[]) { @@ -38,6 +38,7 @@ int main(int argc, char *argv[]) uint8_t family; char xml[4096]; char reprint[4096]; + struct nft_parse_err *err; if (argc < 2) { printf("Usage: %s <xml-file>\n", argv[0]); @@ -63,8 +64,14 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } - if (nft_rule_parse(r, NFT_PARSE_XML, xml) < 0) { - printf("E: Unable to parse XML file: %s\n", strerror(errno)); + err = nft_parse_err_alloc(); + if (err == NULL) { + perror("error"); + exit(EXIT_FAILURE); + } + + if (nft_rule_parse(r, NFT_PARSE_XML, xml, err) < 0) { + nft_parse_perror("Unable to parse XML file", err); exit(EXIT_FAILURE); } @@ -80,6 +87,7 @@ int main(int argc, char *argv[]) seq); nft_rule_nlmsg_build_payload(nlh, r); nft_rule_free(r); + nft_parse_err_free(err); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/examples/nft-ruleset-get.c b/examples/nft-ruleset-get.c index 25c6d7c..18de2a9 100644 --- a/examples/nft-ruleset-get.c +++ b/examples/nft-ruleset-get.c @@ -21,12 +21,12 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/common.h> -#include <libnftables/ruleset.h> -#include <libnftables/table.h> -#include <libnftables/chain.h> -#include <libnftables/set.h> -#include <libnftables/rule.h> +#include <libnftnl/common.h> +#include <libnftnl/ruleset.h> +#include <libnftnl/table.h> +#include <libnftnl/chain.h> +#include <libnftnl/set.h> +#include <libnftnl/rule.h> static int seq; diff --git a/examples/nft-set-add.c b/examples/nft-set-add.c index 0d17c38..4e54c39 100644 --- a/examples/nft-set-add.c +++ b/examples/nft-set-add.c @@ -18,8 +18,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/table.h> -#include <libnftables/set.h> +#include <libnftnl/table.h> +#include <libnftnl/set.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-set-del.c b/examples/nft-set-del.c index 7828ae0..5abd3b1 100644 --- a/examples/nft-set-del.c +++ b/examples/nft-set-del.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/set.h> +#include <libnftnl/set.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-set-elem-add.c b/examples/nft-set-elem-add.c index e2e278d..ffc025c 100644 --- a/examples/nft-set-elem-add.c +++ b/examples/nft-set-elem-add.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/set.h> +#include <libnftnl/set.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-set-elem-del.c b/examples/nft-set-elem-del.c index 36f1016..af70cde 100644 --- a/examples/nft-set-elem-del.c +++ b/examples/nft-set-elem-del.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/set.h> +#include <libnftnl/set.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-set-elem-get.c b/examples/nft-set-elem-get.c index 0b46f36..6908c2a 100644 --- a/examples/nft-set-elem-get.c +++ b/examples/nft-set-elem-get.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/set.h> +#include <libnftnl/set.h> static int set_cb(const struct nlmsghdr *nlh, void *data) { diff --git a/examples/nft-set-get.c b/examples/nft-set-get.c index b774199..2822025 100644 --- a/examples/nft-set-get.c +++ b/examples/nft-set-get.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/set.h> +#include <libnftnl/set.h> static int set_cb(const struct nlmsghdr *nlh, void *data) { diff --git a/examples/nft-set-json-add.c b/examples/nft-set-json-add.c index 9a4aa48..a4535da 100644 --- a/examples/nft-set-json-add.c +++ b/examples/nft-set-json-add.c @@ -25,7 +25,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/set.h> +#include <libnftnl/set.h> int main(int argc, char *argv[]) { @@ -38,6 +38,7 @@ int main(int argc, char *argv[]) uint16_t family; char json[4096]; char reprint[4096]; + struct nft_parse_err *err; if (argc < 2) { printf("Usage: %s <json-file>\n", argv[0]); @@ -62,10 +63,16 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } + err = nft_parse_err_alloc(); + if (err == NULL) { + perror("error"); + exit(EXIT_FAILURE); + } + close(fd); - if (nft_set_parse(s, NFT_PARSE_JSON, json) < 0) { - printf("E: Unable to parse JSON file: %s\n", strerror(errno)); + if (nft_set_parse(s, NFT_PARSE_JSON, json, err) < 0) { + nft_parse_perror("Unable to parse JSON file", err); exit(EXIT_FAILURE); } @@ -80,6 +87,7 @@ int main(int argc, char *argv[]) NLM_F_CREATE|NLM_F_ACK, seq); nft_set_nlmsg_build_payload(nlh, s); nft_set_free(s); + nft_parse_err_free(err); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/examples/nft-table-add.c b/examples/nft-table-add.c index e4d7db9..3b7572f 100644 --- a/examples/nft-table-add.c +++ b/examples/nft-table-add.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/table.h> +#include <libnftnl/table.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-table-del.c b/examples/nft-table-del.c index 11762fe..ed1140d 100644 --- a/examples/nft-table-del.c +++ b/examples/nft-table-del.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/table.h> +#include <libnftnl/table.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-table-get.c b/examples/nft-table-get.c index c5bc89d..6ac56d6 100644 --- a/examples/nft-table-get.c +++ b/examples/nft-table-get.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/table.h> +#include <libnftnl/table.h> static int table_cb(const struct nlmsghdr *nlh, void *data) { diff --git a/examples/nft-table-json-add.c b/examples/nft-table-json-add.c index 6b16c7f..a9bd217 100644 --- a/examples/nft-table-json-add.c +++ b/examples/nft-table-json-add.c @@ -26,7 +26,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/table.h> +#include <libnftnl/table.h> int main(int argc, char *argv[]) { @@ -39,6 +39,7 @@ int main(int argc, char *argv[]) uint16_t family; char json[4096]; char reprint[4096]; + struct nft_parse_err *err; if (argc < 2) { printf("Usage: %s <json-file>\n", argv[0]); @@ -64,8 +65,14 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } - if (nft_table_parse(t, NFT_PARSE_JSON, json) < 0) { - printf("E: Unable to parse JSON file: %s\n", strerror(errno)); + err = nft_parse_err_alloc(); + if (err == NULL) { + perror("error"); + exit(EXIT_FAILURE); + } + + if (nft_table_parse(t, NFT_PARSE_JSON, json, err) < 0) { + nft_parse_perror("Unable to parse JSON file", err); exit(EXIT_FAILURE); } @@ -80,6 +87,7 @@ int main(int argc, char *argv[]) NLM_F_CREATE|NLM_F_ACK, seq); nft_table_nlmsg_build_payload(nlh, t); nft_table_free(t); + nft_parse_err_free(err); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/examples/nft-table-upd.c b/examples/nft-table-upd.c index 1cf41a4..9f0e809 100644 --- a/examples/nft-table-upd.c +++ b/examples/nft-table-upd.c @@ -18,7 +18,7 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/table.h> +#include <libnftnl/table.h> int main(int argc, char *argv[]) { diff --git a/examples/nft-table-xml-add.c b/examples/nft-table-xml-add.c index 6a9163b..f36f0ab 100644 --- a/examples/nft-table-xml-add.c +++ b/examples/nft-table-xml-add.c @@ -22,7 +22,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/table.h> +#include <libnftnl/table.h> +#include <libnftnl/common.h> int main(int argc, char *argv[]) { @@ -35,6 +36,7 @@ int main(int argc, char *argv[]) uint16_t family; char xml[4096]; char reprint[4096]; + struct nft_parse_err *err; if (argc < 2) { printf("Usage: %s <xml-file>\n", argv[0]); @@ -60,8 +62,14 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } - if (nft_table_parse(t, NFT_PARSE_XML, xml) < 0) { - printf("E: Unable to parse XML file: %s\n", strerror(errno)); + err = nft_parse_err_alloc(); + if (err == NULL) { + perror("error"); + exit(EXIT_FAILURE); + } + + if (nft_table_parse(t, NFT_PARSE_XML, xml, err) < 0) { + nft_parse_perror("Unable to parse XML file", err); exit(EXIT_FAILURE); } @@ -76,6 +84,7 @@ int main(int argc, char *argv[]) NLM_F_CREATE|NLM_F_ACK, seq); nft_table_nlmsg_build_payload(nlh, t); nft_table_free(t); + nft_parse_err_free(err); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/include/Makefile.am b/include/Makefile.am index 10332b7..5976bbd 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -1,3 +1,3 @@ -SUBDIRS = libnftables linux +SUBDIRS = libnftnl linux noinst_HEADERS = linux_list.h diff --git a/include/libnftables/common.h b/include/libnftables/common.h deleted file mode 100644 index 9cd92b2..0000000 --- a/include/libnftables/common.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _LIBNFTABLES_COMMON_H_ -#define _LIBNFTABLES_COMMON_H_ - -enum nft_output_type { - NFT_OUTPUT_DEFAULT = 0, - NFT_OUTPUT_XML, - NFT_OUTPUT_JSON, -}; - -enum nft_parse_type { - NFT_PARSE_NONE = 0, - NFT_PARSE_XML, - NFT_PARSE_JSON, - NFT_PARSE_MAX, -}; - -struct nlmsghdr *nft_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family, - uint16_t type, uint32_t seq); - -#endif diff --git a/include/libnftables/Makefile.am b/include/libnftnl/Makefile.am index a0841d2..a0841d2 100644 --- a/include/libnftables/Makefile.am +++ b/include/libnftnl/Makefile.am diff --git a/include/libnftables/chain.h b/include/libnftnl/chain.h index 8b4eab9..66626d8 100644 --- a/include/libnftables/chain.h +++ b/include/libnftnl/chain.h @@ -1,12 +1,12 @@ -#ifndef _LIBNFTABLES_CHAIN_H_ -#define _LIBNFTABLES_CHAIN_H_ +#ifndef _LIBNFTNL_CHAIN_H_ +#define _LIBNFTNL_CHAIN_H_ #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #ifdef __cplusplus extern "C" { @@ -51,7 +51,10 @@ struct nlmsghdr; void nft_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_chain *t); -int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, const char *data); +int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_chain_parse_file(struct nft_chain *c, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_chain_snprintf(char *buf, size_t size, struct nft_chain *t, uint32_t type, uint32_t flags); int nft_chain_fprintf(FILE *fp, struct nft_chain *c, uint32_t type, uint32_t flags); @@ -79,4 +82,4 @@ void nft_chain_list_iter_destroy(struct nft_chain_list_iter *iter); } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_CHAIN_H_ */ +#endif /* _LIBNFTNL_CHAIN_H_ */ diff --git a/include/libnftnl/common.h b/include/libnftnl/common.h new file mode 100644 index 0000000..f0c20f0 --- /dev/null +++ b/include/libnftnl/common.h @@ -0,0 +1,33 @@ +#ifndef _LIBNFTNL_COMMON_H_ +#define _LIBNFTNL_COMMON_H_ + +#include <stdint.h> + +enum { + NFT_PARSE_EBADINPUT = 0, + NFT_PARSE_EMISSINGNODE, + NFT_PARSE_EBADTYPE, +}; + +enum nft_output_type { + NFT_OUTPUT_DEFAULT = 0, + NFT_OUTPUT_XML, + NFT_OUTPUT_JSON, +}; + +enum nft_parse_type { + NFT_PARSE_NONE = 0, + NFT_PARSE_XML, + NFT_PARSE_JSON, + NFT_PARSE_MAX, +}; + +struct nft_parse_err; + +struct nlmsghdr *nft_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family, + uint16_t type, uint32_t seq); + +struct nft_parse_err *nft_parse_err_alloc(void); +void nft_parse_err_free(struct nft_parse_err *); +int nft_parse_perror(const char *str, struct nft_parse_err *err); +#endif diff --git a/include/libnftables/expr.h b/include/libnftnl/expr.h index 653bbb0..6ec05a6 100644 --- a/include/libnftables/expr.h +++ b/include/libnftnl/expr.h @@ -1,5 +1,5 @@ -#ifndef _LIBNFTABLES_RULE_EXPR_H_ -#define _LIBNFTABLES_RULE_EXPR_H_ +#ifndef _LIBNFTNL_RULE_EXPR_H_ +#define _LIBNFTNL_RULE_EXPR_H_ #include <stdint.h> #include <stdbool.h> @@ -154,4 +154,4 @@ enum { } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_RULE_EXPR_H_ */ +#endif /* _LIBNFTNL_RULE_EXPR_H_ */ diff --git a/include/libnftables/rule.h b/include/libnftnl/rule.h index 86dbc17..4033d3c 100644 --- a/include/libnftables/rule.h +++ b/include/libnftnl/rule.h @@ -1,12 +1,12 @@ -#ifndef _LIBNFTABLES_RULE_H_ -#define _LIBNFTABLES_RULE_H_ +#ifndef _LIBNFTNL_RULE_H_ +#define _LIBNFTNL_RULE_H_ #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #ifdef __cplusplus extern "C" { @@ -47,7 +47,10 @@ struct nlmsghdr; void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *t); -int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, const char *data); +int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_rule_parse_file(struct nft_rule *r, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_rule_snprintf(char *buf, size_t size, struct nft_rule *t, uint32_t type, uint32_t flags); int nft_rule_fprintf(FILE *fp, struct nft_rule *r, uint32_t type, uint32_t flags); @@ -85,4 +88,4 @@ void nft_rule_list_iter_destroy(struct nft_rule_list_iter *iter); } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_RULE_H_ */ +#endif /* _LIBNFTNL_RULE_H_ */ diff --git a/include/libnftables/ruleset.h b/include/libnftnl/ruleset.h index 1ec3059..6f89110 100644 --- a/include/libnftables/ruleset.h +++ b/include/libnftnl/ruleset.h @@ -1,5 +1,5 @@ -#ifndef _LIBNFTABLES_RULESET_H_ -#define _LIBNFTABLES_RULESET_H_ +#ifndef _LIBNFTNL_RULESET_H_ +#define _LIBNFTNL_RULESET_H_ #include <stdio.h> @@ -7,7 +7,7 @@ #include <stdint.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #ifdef __cplusplus extern "C" { @@ -30,7 +30,10 @@ void nft_ruleset_attr_unset(struct nft_ruleset *r, uint16_t attr); void nft_ruleset_attr_set(struct nft_ruleset *r, uint16_t attr, void *data); const void *nft_ruleset_attr_get(const struct nft_ruleset *r, uint16_t attr); -int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, const char *data); +int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_ruleset_parse_file(struct nft_ruleset *rs, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_ruleset_snprintf(char *buf, size_t size, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); int nft_ruleset_fprintf(FILE *fp, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); @@ -38,4 +41,4 @@ int nft_ruleset_fprintf(FILE *fp, const struct nft_ruleset *rs, uint32_t type, u } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_RULESET_H_ */ +#endif /* _LIBNFTNL_RULESET_H_ */ diff --git a/include/libnftables/set.h b/include/libnftnl/set.h index 13ac857..7fa9fb2 100644 --- a/include/libnftables/set.h +++ b/include/libnftnl/set.h @@ -1,12 +1,12 @@ -#ifndef _LIBNFTABLES_SET_H_ -#define _LIBNFTABLES_SET_H_ +#ifndef _LIBNFTNL_SET_H_ +#define _LIBNFTNL_SET_H_ #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> enum { NFT_SET_ATTR_TABLE, @@ -60,7 +60,10 @@ struct nft_set *nft_set_list_iter_cur(struct nft_set_list_iter *iter); struct nft_set *nft_set_list_iter_next(struct nft_set_list_iter *iter); void nft_set_list_iter_destroy(struct nft_set_list_iter *iter); -int nft_set_parse(struct nft_set *s, enum nft_parse_type type, const char *data); +int nft_set_parse(struct nft_set *s, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_set_parse_file(struct nft_set *s, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); /* * Set elements @@ -98,7 +101,10 @@ void nft_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set_elem int nft_set_elem_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set_elem *s); -int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, const char *data); +int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_set_elem_parse_file(struct nft_set_elem *e, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *s, uint32_t type, uint32_t flags); int nft_set_elem_fprintf(FILE *fp, struct nft_set_elem *se, uint32_t type, uint32_t flags); @@ -110,4 +116,4 @@ struct nft_set_elem *nft_set_elems_iter_cur(struct nft_set_elems_iter *iter); struct nft_set_elem *nft_set_elems_iter_next(struct nft_set_elems_iter *iter); void nft_set_elems_iter_destroy(struct nft_set_elems_iter *iter); -#endif /* _LIBNFTABLES_SET_H_ */ +#endif /* _LIBNFTNL_SET_H_ */ diff --git a/include/libnftables/table.h b/include/libnftnl/table.h index 1d2be07..56e7e35 100644 --- a/include/libnftables/table.h +++ b/include/libnftnl/table.h @@ -1,12 +1,12 @@ -#ifndef _LIBNFTABLES_TABLE_H_ -#define _LIBNFTABLES_TABLE_H_ +#ifndef _LIBNFTNL_TABLE_H_ +#define _LIBNFTNL_TABLE_H_ #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #ifdef __cplusplus extern "C" { @@ -40,7 +40,10 @@ struct nlmsghdr; void nft_table_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_table *t); -int nft_table_parse(struct nft_table *t, enum nft_parse_type type, const char *data); +int nft_table_parse(struct nft_table *t, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_table_parse_file(struct nft_table *t, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_table_snprintf(char *buf, size_t size, struct nft_table *t, uint32_t type, uint32_t flags); int nft_table_fprintf(FILE *fp, struct nft_table *t, uint32_t type, uint32_t flags); @@ -68,4 +71,4 @@ void nft_table_list_iter_destroy(struct nft_table_list_iter *iter); } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_TABLE_H_ */ +#endif /* _LIBNFTNL_TABLE_H_ */ diff --git a/include/linux/kernel.h b/include/linux/kernel.h new file mode 100644 index 0000000..d4c59f6 --- /dev/null +++ b/include/linux/kernel.h @@ -0,0 +1,29 @@ +#ifndef _LINUX_KERNEL_H +#define _LINUX_KERNEL_H + +/* + * 'kernel.h' contains some often-used function prototypes etc + */ +#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1) +#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask)) + + +#define SI_LOAD_SHIFT 16 +struct sysinfo { + long uptime; /* Seconds since boot */ + unsigned long loads[3]; /* 1, 5, and 15 minute load averages */ + unsigned long totalram; /* Total usable main memory size */ + unsigned long freeram; /* Available memory size */ + unsigned long sharedram; /* Amount of shared memory */ + unsigned long bufferram; /* Memory used by buffers */ + unsigned long totalswap; /* Total swap space size */ + unsigned long freeswap; /* swap space still available */ + unsigned short procs; /* Number of current processes */ + unsigned short pad; /* explicit padding for m68k */ + unsigned long totalhigh; /* Total high memory size */ + unsigned long freehigh; /* Available high memory size */ + unsigned int mem_unit; /* Memory unit size in bytes */ + char _f[20-2*sizeof(long)-sizeof(int)]; /* Padding: libc5 uses this.. */ +}; + +#endif diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 6a22a37..31ddd06 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -32,6 +32,25 @@ enum nft_verdicts { NFT_RETURN = -5, }; +/** + * enum nf_tables_msg_types - nf_tables netlink message types + * + * @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes) + * @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes) + * @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes) + * @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes) + * @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes) + * @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes) + * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes) + * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes) + * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes) + * @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes) + * @NFT_MSG_GETSET: get a set (enum nft_set_attributes) + * @NFT_MSG_DELSET: delete a set (enum nft_set_attributes) + * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes) + * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes) + * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes) + */ enum nf_tables_msg_types { NFT_MSG_NEWTABLE, NFT_MSG_GETTABLE, @@ -90,6 +109,7 @@ enum nft_table_flags { * enum nft_table_attributes - nf_tables table netlink attributes * * @NFTA_TABLE_NAME: name of the table (NLA_STRING) + * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) */ enum nft_table_attributes { NFTA_TABLE_UNSPEC, @@ -104,8 +124,13 @@ enum nft_table_attributes { * enum nft_chain_attributes - nf_tables chain netlink attributes * * @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING) + * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64) * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING) * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes) + * @NFTA_CHAIN_POLICY: numeric policy of the chain (NLA_U32) + * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) + * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) + * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) */ enum nft_chain_attributes { NFTA_CHAIN_UNSPEC, @@ -126,8 +151,10 @@ enum nft_chain_attributes { * * @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING) * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING) - * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U16) + * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64) * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) + * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) + * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) */ enum nft_rule_attributes { NFTA_RULE_UNSPEC, @@ -141,11 +168,22 @@ enum nft_rule_attributes { }; #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) +/** + * enum nft_rule_compat_flags - nf_tables rule compat flags + * + * @NFT_RULE_COMPAT_F_INV: invert the check result + */ enum nft_rule_compat_flags { NFT_RULE_COMPAT_F_INV = (1 << 1), NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, }; +/** + * enum nft_rule_compat_attributes - nf_tables rule compat attributes + * + * @NFTA_RULE_COMPAT_PROTO: numerice value of handled protocol (NLA_U32) + * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32) + */ enum nft_rule_compat_attributes { NFTA_RULE_COMPAT_UNSPEC, NFTA_RULE_COMPAT_PROTO, @@ -343,11 +381,26 @@ enum nft_bitwise_attributes { }; #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) +/** + * enum nft_byteorder_ops - nf_tables byteorder operators + * + * @NFT_BYTEORDER_NTOH: network to host operator + * @NFT_BYTEORDER_HTON: host to network opertaor + */ enum nft_byteorder_ops { NFT_BYTEORDER_NTOH, NFT_BYTEORDER_HTON, }; +/** + * enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes + * + * @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers) + * @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops) + * @NFTA_BYTEORDER_LEN: length of the data (NLA_U32) + * @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4) + */ enum nft_byteorder_attributes { NFTA_BYTEORDER_UNSPEC, NFTA_BYTEORDER_SREG, @@ -359,6 +412,16 @@ enum nft_byteorder_attributes { }; #define NFTA_BYTEORDER_MAX (__NFTA_BYTEORDER_MAX - 1) +/** + * enum nft_cmp_ops - nf_tables relational operator + * + * @NFT_CMP_EQ: equal + * @NFT_CMP_NEQ: not equal + * @NFT_CMP_LT: less than + * @NFT_CMP_LTE: less than or equal to + * @NFT_CMP_GT: greater than + * @NFT_CMP_GTE: greater than or equal to + */ enum nft_cmp_ops { NFT_CMP_EQ, NFT_CMP_NEQ, @@ -384,6 +447,13 @@ enum nft_cmp_attributes { }; #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) +/** + * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes + * + * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING) + * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers) + * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers) + */ enum nft_lookup_attributes { NFTA_LOOKUP_UNSPEC, NFTA_LOOKUP_SET, @@ -424,6 +494,14 @@ enum nft_payload_attributes { }; #define NFTA_PAYLOAD_MAX (__NFTA_PAYLOAD_MAX - 1) +/** + * enum nft_exthdr_attributes - nf_tables IPv6 extension header expression netlink attributes + * + * @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8) + * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32) + * @NFTA_EXTHDR_LEN: extension header length (NLA_U32) + */ enum nft_exthdr_attributes { NFTA_EXTHDR_UNSPEC, NFTA_EXTHDR_DREG, @@ -648,10 +726,11 @@ enum nft_nat_types { * enum nft_nat_attributes - nf_tables nat expression netlink attributes * * @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types) - * @NFTA_NAT_ADDR_MIN: source register of address range start (NLA_U32: nft_registers) - * @NFTA_NAT_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) - * @NFTA_NAT_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) - * @NFTA_NAT_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) + * @NFTA_NAT_FAMILY: NAT family (NLA_U32) + * @NFTA_NAT_REG_ADDR_MIN: source register of address range start (NLA_U32: nft_registers) + * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) + * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) + * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) */ enum nft_nat_attributes { NFTA_NAT_UNSPEC, diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 91eebab..336c10c 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h @@ -97,4 +97,9 @@ extern void nfnl_unlock(void); MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) #endif /* __KERNEL__ */ + +/* Reserved control nfnetlink messages */ +#define NFNL_MSG_BATCH_BEGIN NLMSG_MIN_TYPE +#define NFNL_MSG_BATCH_END NLMSG_MIN_TYPE+1 + #endif /* _NFNETLINK_H */ diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h new file mode 100644 index 0000000..4120970 --- /dev/null +++ b/include/linux/netfilter/x_tables.h @@ -0,0 +1,185 @@ +#ifndef _X_TABLES_H +#define _X_TABLES_H +#include <linux/kernel.h> +#include <linux/types.h> + +#define XT_FUNCTION_MAXNAMELEN 30 +#define XT_EXTENSION_MAXNAMELEN 29 +#define XT_TABLE_MAXNAMELEN 32 + +struct xt_entry_match { + union { + struct { + __u16 match_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 match_size; + + /* Used inside the kernel */ + struct xt_match *match; + } kernel; + + /* Total length */ + __u16 match_size; + } u; + + unsigned char data[0]; +}; + +struct xt_entry_target { + union { + struct { + __u16 target_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 target_size; + + /* Used inside the kernel */ + struct xt_target *target; + } kernel; + + /* Total length */ + __u16 target_size; + } u; + + unsigned char data[0]; +}; + +#define XT_TARGET_INIT(__name, __size) \ +{ \ + .target.u.user = { \ + .target_size = XT_ALIGN(__size), \ + .name = __name, \ + }, \ +} + +struct xt_standard_target { + struct xt_entry_target target; + int verdict; +}; + +struct xt_error_target { + struct xt_entry_target target; + char errorname[XT_FUNCTION_MAXNAMELEN]; +}; + +/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision + * kernel supports, if >= revision. */ +struct xt_get_revision { + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; +}; + +/* CONTINUE verdict for targets */ +#define XT_CONTINUE 0xFFFFFFFF + +/* For standard target */ +#define XT_RETURN (-NF_REPEAT - 1) + +/* this is a dummy structure to find out the alignment requirement for a struct + * containing all the fundamental data types that are used in ipt_entry, + * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my + * personal pleasure to remove it -HW + */ +struct _xt_align { + __u8 u8; + __u16 u16; + __u32 u32; + __u64 u64; +}; + +#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) + +/* Standard return verdict, or do jump. */ +#define XT_STANDARD_TARGET "" +/* Error verdict. */ +#define XT_ERROR_TARGET "ERROR" + +#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) +#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) + +struct xt_counters { + __u64 pcnt, bcnt; /* Packet and byte counters */ +}; + +/* The argument to IPT_SO_ADD_COUNTERS. */ +struct xt_counters_info { + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + unsigned int num_counters; + + /* The counters (actually `number' of these). */ + struct xt_counters counters[0]; +}; + +#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ + +/* fn returns 0 to continue iteration */ +#define XT_MATCH_ITERATE(type, e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct xt_entry_match *__m; \ + \ + for (__i = sizeof(type); \ + __i < (e)->target_offset; \ + __i += __m->u.match_size) { \ + __m = (void *)e + __i; \ + \ + __ret = fn(__m , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ +({ \ + unsigned int __i, __n; \ + int __ret = 0; \ + type *__entry; \ + \ + for (__i = 0, __n = 0; __i < (size); \ + __i += __entry->next_offset, __n++) { \ + __entry = (void *)(entries) + __i; \ + if (__n < n) \ + continue; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ + XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) + + +/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ +#define xt_entry_foreach(pos, ehead, esize) \ + for ((pos) = (typeof(pos))(ehead); \ + (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ + (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) + +/* can only be xt_entry_match, so no use of typeof here */ +#define xt_ematch_foreach(pos, entry) \ + for ((pos) = (struct xt_entry_match *)entry->elems; \ + (pos) < (struct xt_entry_match *)((char *)(entry) + \ + (entry)->target_offset); \ + (pos) = (struct xt_entry_match *)((char *)(pos) + \ + (pos)->u.match_size)) + + +#endif /* _X_TABLES_H */ diff --git a/libnftables.pc.in b/libnftnl.pc.in index 0c6d57e..fd5cc6a 100644 --- a/libnftables.pc.in +++ b/libnftnl.pc.in @@ -1,15 +1,15 @@ -# libnftables pkg-config file +# libnftnl pkg-config file prefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ -Name: libnftables +Name: libnftnl Description: Netfilter nf_tables infrastructure library -URL: http://netfilter.org/projects/libnftables/ +URL: http://netfilter.org/projects/libnftnl/ Version: @VERSION@ Requires: Conflicts: -Libs: -L${libdir} -lnftables +Libs: -L${libdir} -lnftnl Cflags: -I${includedir} diff --git a/src/Makefile.am b/src/Makefile.am index 441e96e..450279f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,40 +1,40 @@ include $(top_srcdir)/Make_global.am -lib_LTLIBRARIES = libnftables.la +lib_LTLIBRARIES = libnftnl.la -libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS} -libnftables_la_LDFLAGS = -Wl,--version-script=$(srcdir)/libnftables.map \ - -version-info $(LIBVERSION) -libnftables_la_SOURCES = utils.c \ - common.c \ - table.c \ - chain.c \ - rule.c \ - set.c \ - set_elem.c \ - ruleset.c \ - mxml.c \ - jansson.c \ - expr.c \ - expr_ops.c \ - expr/bitwise.c \ - expr/byteorder.c \ - expr/cmp.c \ - expr/counter.c \ - expr/ct.c \ - expr/data_reg.c \ - expr/exthdr.c \ - expr/limit.c \ - expr/log.c \ - expr/lookup.c \ - expr/immediate.c \ - expr/match.c \ - expr/meta.c \ - expr/nat.c \ - expr/payload.c \ - expr/queue.c \ - expr/reject.c \ - expr/target.c \ - expr/data_reg.h \ - libnftables.map \ - expr_ops.h \ - internal.h +libnftnl_la_LIBADD = ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS} +libnftnl_la_LDFLAGS = -Wl,--version-script=$(srcdir)/libnftnl.map \ + -version-info $(LIBVERSION) + +libnftnl_la_SOURCES = utils.c \ + common.c \ + table.c \ + chain.c \ + rule.c \ + set.c \ + set_elem.c \ + ruleset.c \ + mxml.c \ + jansson.c \ + expr.c \ + expr_ops.c \ + expr/bitwise.c \ + expr/byteorder.c \ + expr/cmp.c \ + expr/counter.c \ + expr/ct.c \ + expr/data_reg.c \ + expr/exthdr.c \ + expr/limit.c \ + expr/log.c \ + expr/lookup.c \ + expr/immediate.c \ + expr/match.c \ + expr/meta.c \ + expr/nat.c \ + expr/payload.c \ + expr/reject.c \ + expr/target.c \ + expr/data_reg.h \ + libnftnl.map \ + expr_ops.h \ + internal.h diff --git a/src/chain.c b/src/chain.c index b1a692a..2cc7c61 100644 --- a/src/chain.c +++ b/src/chain.c @@ -26,7 +26,7 @@ #include <linux/netfilter.h> #include <linux/netfilter_arp.h> -#include <libnftables/chain.h> +#include <libnftnl/chain.h> struct nft_chain { struct list_head head; @@ -499,45 +499,49 @@ static inline int nft_str2hooknum(int family, const char *hook) } #ifdef JSON_PARSING -int nft_jansson_parse_chain(struct nft_chain *c, json_t *tree) +int nft_jansson_parse_chain(struct nft_chain *c, json_t *tree, + struct nft_parse_err *err) { json_t *root; uint64_t uval64; - uint32_t policy; + int policy; int32_t val32; const char *valstr; - root = nft_jansson_get_node(tree, "chain"); + root = nft_jansson_get_node(tree, "chain", err); if (root == NULL) return -1; - valstr = nft_jansson_parse_str(root, "name"); + valstr = nft_jansson_parse_str(root, "name", err); if (valstr == NULL) goto err; nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_NAME, valstr); - if (nft_jansson_parse_val(root, "handle", NFT_TYPE_U64, &uval64) < 0) + if (nft_jansson_parse_val(root, "handle", NFT_TYPE_U64, &uval64, + err) < 0) goto err; nft_chain_attr_set_u64(c,NFT_CHAIN_ATTR_HANDLE, uval64); - if (nft_jansson_parse_val(root, "bytes", NFT_TYPE_U64, &uval64) < 0) + if (nft_jansson_parse_val(root, "bytes", NFT_TYPE_U64, &uval64, + err) < 0) goto err; nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_BYTES, uval64); - if (nft_jansson_parse_val(root, "packets", NFT_TYPE_U64, &uval64) < 0) + if (nft_jansson_parse_val(root, "packets", NFT_TYPE_U64, &uval64, + err) < 0) goto err; nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_PACKETS, uval64); - if (nft_jansson_parse_family(root, &val32) != 0) + if (nft_jansson_parse_family(root, &val32, err) != 0) goto err; nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_FAMILY, val32); - valstr = nft_jansson_parse_str(root, "table"); + valstr = nft_jansson_parse_str(root, "table", err); if (valstr == NULL) goto err; @@ -545,7 +549,7 @@ int nft_jansson_parse_chain(struct nft_chain *c, json_t *tree) nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_TABLE, valstr); if (nft_jansson_node_exist(root, "hooknum")) { - valstr = nft_jansson_parse_str(root, "type"); + valstr = nft_jansson_parse_str(root, "type", err); if (valstr == NULL) goto err; @@ -553,12 +557,12 @@ int nft_jansson_parse_chain(struct nft_chain *c, json_t *tree) nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_TYPE, valstr); if (nft_jansson_parse_val(root, "prio", NFT_TYPE_S32, - &val32) < 0) + &val32, err) < 0) goto err; nft_chain_attr_set_s32(c, NFT_CHAIN_ATTR_PRIO, val32); - valstr = nft_jansson_parse_str(root, "hooknum"); + valstr = nft_jansson_parse_str(root, "hooknum", err); if (valstr == NULL) goto err; @@ -568,13 +572,16 @@ int nft_jansson_parse_chain(struct nft_chain *c, json_t *tree) nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_HOOKNUM, val32); - valstr = nft_jansson_parse_str(root, "policy"); + valstr = nft_jansson_parse_str(root, "policy", err); if (valstr == NULL) goto err; - policy = nft_str2verdict(valstr); - if (policy == -1) + if (nft_str2verdict(valstr, &policy) != 0) { + errno = EINVAL; + err->node_name = "policy"; + err->error = NFT_PARSE_EBADTYPE; goto err; + } nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_POLICY, policy); } @@ -588,17 +595,19 @@ err: } #endif -static int nft_chain_json_parse(struct nft_chain *c, const char *json) +static int nft_chain_json_parse(struct nft_chain *c, const void *json, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef JSON_PARSING json_t *tree; json_error_t error; - tree = nft_jansson_create_root(json, &error); + tree = nft_jansson_create_root(json, &error, err, input); if (tree == NULL) return -1; - return nft_jansson_parse_chain(c, tree); + return nft_jansson_parse_chain(c, tree, err); #else errno = EOPNOTSUPP; return -1; @@ -606,13 +615,14 @@ static int nft_chain_json_parse(struct nft_chain *c, const char *json) } #ifdef XML_PARSING -int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c) +int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c, + struct nft_parse_err *err) { const char *table, *name, *hooknum_str, *policy_str, *type; int family, hooknum, policy; name = nft_mxml_str_parse(tree, "name", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (name == NULL) return -1; @@ -620,25 +630,25 @@ int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c) c->flags |= (1 << NFT_CHAIN_ATTR_NAME); if (nft_mxml_num_parse(tree, "handle", MXML_DESCEND_FIRST, BASE_DEC, - &c->handle, NFT_TYPE_U64, NFT_XML_MAND) != 0) + &c->handle, NFT_TYPE_U64, NFT_XML_MAND, err) != 0) return -1; c->flags |= (1 << NFT_CHAIN_ATTR_HANDLE); if (nft_mxml_num_parse(tree, "bytes", MXML_DESCEND_FIRST, BASE_DEC, - &c->bytes, NFT_TYPE_U64, NFT_XML_MAND) != 0) + &c->bytes, NFT_TYPE_U64, NFT_XML_MAND, err) != 0) return -1; c->flags |= (1 << NFT_CHAIN_ATTR_BYTES); if (nft_mxml_num_parse(tree, "packets", MXML_DESCEND_FIRST, BASE_DEC, - &c->packets, NFT_TYPE_U64, NFT_XML_MAND) != 0) + &c->packets, NFT_TYPE_U64, NFT_XML_MAND, err) != 0) return -1; c->flags |= (1 << NFT_CHAIN_ATTR_PACKETS); table = nft_mxml_str_parse(tree, "table", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (table == NULL) return -1; @@ -649,7 +659,7 @@ int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c) c->flags |= (1 << NFT_CHAIN_ATTR_TABLE); family = nft_mxml_family_parse(tree, "family", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (family < 0) return -1; @@ -657,7 +667,7 @@ int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c) c->flags |= (1 << NFT_CHAIN_ATTR_FAMILY); hooknum_str = nft_mxml_str_parse(tree, "hooknum", MXML_DESCEND_FIRST, - NFT_XML_OPT); + NFT_XML_OPT, err); if (hooknum_str != NULL) { hooknum = nft_str2hooknum(c->family, hooknum_str); if (hooknum < 0) @@ -667,7 +677,7 @@ int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c) c->flags |= (1 << NFT_CHAIN_ATTR_HOOKNUM); type = nft_mxml_str_parse(tree, "type", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (type == NULL) return -1; @@ -680,20 +690,23 @@ int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c) if (nft_mxml_num_parse(tree, "prio", MXML_DESCEND, BASE_DEC, &c->prio, NFT_TYPE_S32, - NFT_XML_MAND) != 0) + NFT_XML_MAND, err) != 0) return -1; c->flags |= (1 << NFT_CHAIN_ATTR_PRIO); policy_str = nft_mxml_str_parse(tree, "policy", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (policy_str == NULL) return -1; - policy = nft_str2verdict(policy_str); - if (policy == -1) + if (nft_str2verdict(policy_str, &policy) != 0) { + errno = EINVAL; + err->node_name = "policy"; + err->error = NFT_PARSE_EBADTYPE; return -1; + } c->policy = policy; c->flags |= (1 << NFT_CHAIN_ATTR_POLICY); @@ -703,15 +716,17 @@ int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c) } #endif -static int nft_chain_xml_parse(struct nft_chain *c, const char *xml) +static int nft_chain_xml_parse(struct nft_chain *c, const void *xml, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef XML_PARSING int ret; - mxml_node_t *tree = nft_mxml_build_tree(xml, "chain"); + mxml_node_t *tree = nft_mxml_build_tree(xml, "chain", err, input); if (tree == NULL) return -1; - ret = nft_mxml_chain_parse(tree, c); + ret = nft_mxml_chain_parse(tree, c, err); mxmlDelete(tree); return ret; #else @@ -720,17 +735,19 @@ static int nft_chain_xml_parse(struct nft_chain *c, const char *xml) #endif } -int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, - const char *data) +static int nft_chain_do_parse(struct nft_chain *c, enum nft_parse_type type, + const void *data, struct nft_parse_err *err, + enum nft_parse_input input) { int ret; + struct nft_parse_err perr; switch (type) { case NFT_PARSE_XML: - ret = nft_chain_xml_parse(c, data); + ret = nft_chain_xml_parse(c, data, &perr, input); break; case NFT_PARSE_JSON: - ret = nft_chain_json_parse(c, data); + ret = nft_chain_json_parse(c, data, &perr, input); break; default: ret = -1; @@ -738,10 +755,26 @@ int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, break; } + if (err != NULL) + *err = perr; + return ret; } + +int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, + const char *data, struct nft_parse_err *err) +{ + return nft_chain_do_parse(c, type, data, err, NFT_PARSE_BUFFER); +} EXPORT_SYMBOL(nft_chain_parse); +int nft_chain_parse_file(struct nft_chain *c, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err) +{ + return nft_chain_do_parse(c, type, fp, err, NFT_PARSE_FILE); +} +EXPORT_SYMBOL(nft_chain_parse_file); + static int nft_chain_snprintf_json(char *buf, size_t size, struct nft_chain *c) { int ret, len = size, offset = 0; diff --git a/src/common.c b/src/common.c index f03e730..336d2b4 100644 --- a/src/common.c +++ b/src/common.c @@ -7,11 +7,13 @@ * (at your option) any later version. */ +#include <stdlib.h> +#include <sys/socket.h> #include <linux/netlink.h> #include <linux/netfilter/nfnetlink.h> #include <libmnl/libmnl.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #include "internal.h" @@ -34,3 +36,33 @@ struct nlmsghdr *nft_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family, return nlh; } EXPORT_SYMBOL(nft_nlmsg_build_hdr); + +struct nft_parse_err *nft_parse_err_alloc(void) +{ + return calloc(1, sizeof(struct nft_parse_err)); +} +EXPORT_SYMBOL(nft_parse_err_alloc); + +void nft_parse_err_free(struct nft_parse_err *err) +{ + xfree(err); +} +EXPORT_SYMBOL(nft_parse_err_free); + +int nft_parse_perror(const char *str, struct nft_parse_err *err) +{ + switch (err->error) { + case NFT_PARSE_EBADINPUT: + return fprintf(stderr, "%s : Bad input format in line %d column %d\n", + str, err->line, err->column); + case NFT_PARSE_EMISSINGNODE: + return fprintf(stderr, "%s : Node \"%s\" not found\n", + str, err->node_name); + case NFT_PARSE_EBADTYPE: + return fprintf(stderr, "%s: Invalid type in node \"%s\"\n", + str, err->node_name); + default: + return fprintf(stderr, "Undefined error\n"); + } +} +EXPORT_SYMBOL(nft_parse_perror); @@ -22,7 +22,7 @@ #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/expr.h> +#include <libnftnl/expr.h> #include "linux_list.h" diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c index bcec516..c8fd0ec 100644 --- a/src/expr/bitwise.c +++ b/src/expr/bitwise.c @@ -18,8 +18,8 @@ #include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "data_reg.h" #include "expr_ops.h" @@ -181,35 +181,36 @@ nft_rule_expr_bitwise_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int -nft_rule_expr_bitwise_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_bitwise_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING struct nft_expr_bitwise *bitwise = nft_expr_data(e); uint32_t reg, len; - if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_BITWISE_SREG, reg); - if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_BITWISE_DREG, reg); - if (nft_jansson_parse_val(root, "len", NFT_TYPE_U32, &len) < 0) + if (nft_jansson_parse_val(root, "len", NFT_TYPE_U32, &len, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_BITWISE_LEN, len); if (nft_jansson_data_reg_parse(root, "mask", - &bitwise->mask) != DATA_VALUE) + &bitwise->mask, err) != DATA_VALUE) return -1; e->flags |= (1 << NFT_EXPR_BITWISE_MASK); if (nft_jansson_data_reg_parse(root, "xor", - &bitwise->xor) != DATA_VALUE) + &bitwise->xor, err) != DATA_VALUE) return -1; e->flags |= (1 << NFT_EXPR_BITWISE_XOR); @@ -225,21 +226,22 @@ nft_rule_expr_bitwise_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_bitwise_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_bitwise_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_bitwise *bitwise = nft_expr_data(e); - int32_t reg; + uint32_t reg; - reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND_FIRST); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "sreg", ®, MXML_DESCEND_FIRST, + NFT_XML_MAND, err) != 0) return -1; bitwise->sreg = reg; e->flags |= (1 << NFT_EXPR_BITWISE_SREG); - reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "dreg", ®, MXML_DESCEND_FIRST, + NFT_XML_MAND, err) != 0) return -1; bitwise->dreg = reg; @@ -247,19 +249,19 @@ nft_rule_expr_bitwise_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) if (nft_mxml_num_parse(tree, "len", MXML_DESCEND_FIRST, BASE_DEC, &bitwise->len, NFT_TYPE_U8, - NFT_XML_MAND) != 0) + NFT_XML_MAND, err) != 0) return -1; e->flags |= (1 << NFT_EXPR_BITWISE_LEN); if (nft_mxml_data_reg_parse(tree, "mask", &bitwise->mask, - NFT_XML_MAND) != DATA_VALUE) + NFT_XML_MAND, err) != DATA_VALUE) return -1; e->flags |= (1 << NFT_EXPR_BITWISE_MASK); if (nft_mxml_data_reg_parse(tree, "xor", &bitwise->xor, - NFT_XML_MAND) != DATA_VALUE) + NFT_XML_MAND, err) != DATA_VALUE) return -1; e->flags |= (1 << NFT_EXPR_BITWISE_XOR); diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c index 7224c82..4889e80 100644 --- a/src/expr/byteorder.c +++ b/src/expr/byteorder.c @@ -18,8 +18,8 @@ #include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "data_reg.h" #include "expr_ops.h" @@ -194,24 +194,25 @@ static inline int nft_str2ntoh(const char *op) } static int -nft_rule_expr_byteorder_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_byteorder_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *op; uint32_t uval32; int ntoh; - if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_BYTEORDER_SREG, uval32); - if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_BYTEORDER_DREG, uval32); - op = nft_jansson_parse_str(root, "op"); + op = nft_jansson_parse_str(root, "op", err); if (op == NULL) return -1; @@ -221,12 +222,12 @@ nft_rule_expr_byteorder_json_parse(struct nft_rule_expr *e, json_t *root) nft_rule_expr_set_u32(e, NFT_EXPR_BYTEORDER_OP, ntoh); - if (nft_jansson_parse_val(root, "len", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "len", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_BYTEORDER_LEN, uval32); - if (nft_jansson_parse_val(root, "size", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "size", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_BYTEORDER_SIZE, uval32); @@ -239,28 +240,31 @@ nft_rule_expr_byteorder_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_byteorder_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_byteorder_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_byteorder *byteorder = nft_expr_data(e); const char *op; - int32_t reg, ntoh; + int32_t ntoh; + uint32_t reg; - reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND_FIRST); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "sreg", ®, MXML_DESCEND_FIRST, + NFT_XML_MAND, err) != 0) return -1; byteorder->sreg = reg; e->flags |= (1 << NFT_EXPR_BYTEORDER_SREG); - reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "dreg", ®, MXML_DESCEND, NFT_XML_MAND, + err) != 0) return -1; byteorder->dreg = reg; e->flags |= (1 << NFT_EXPR_BYTEORDER_DREG); - op = nft_mxml_str_parse(tree, "op", MXML_DESCEND_FIRST, NFT_XML_MAND); + op = nft_mxml_str_parse(tree, "op", MXML_DESCEND_FIRST, NFT_XML_MAND, + err); if (op == NULL) return -1; @@ -273,14 +277,14 @@ nft_rule_expr_byteorder_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) if (nft_mxml_num_parse(tree, "len", MXML_DESCEND_FIRST, BASE_DEC, &byteorder->len, NFT_TYPE_U8, - NFT_XML_MAND) != 0) + NFT_XML_MAND, err) != 0) return -1; e->flags |= (1 << NFT_EXPR_BYTEORDER_LEN); if (nft_mxml_num_parse(tree, "size", MXML_DESCEND_FIRST, BASE_DEC, &byteorder->size, NFT_TYPE_U8, - NFT_XML_MAND) != 0) + NFT_XML_MAND, err) != 0) return -1; e->flags |= (1 << NFT_EXPR_BYTEORDER_SIZE); diff --git a/src/expr/cmp.c b/src/expr/cmp.c index 1c5787e..63250f3 100644 --- a/src/expr/cmp.c +++ b/src/expr/cmp.c @@ -19,15 +19,15 @@ #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" #include "data_reg.h" struct nft_expr_cmp { union nft_data_reg data; - uint32_t sreg; /* enum nft_registers */ - uint32_t op; /* enum nft_cmp_ops */ + enum nft_registers sreg; + enum nft_cmp_ops op; }; static int @@ -174,7 +174,8 @@ static inline int nft_str2cmp(const char *op) } } -static int nft_rule_expr_cmp_json_parse(struct nft_rule_expr *e, json_t *root) +static int nft_rule_expr_cmp_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING struct nft_expr_cmp *cmp = nft_expr_data(e); @@ -182,12 +183,12 @@ static int nft_rule_expr_cmp_json_parse(struct nft_rule_expr *e, json_t *root) uint32_t uval32; int base; - if (nft_jansson_parse_val(root, "sreg", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "sreg", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_CMP_SREG, uval32); - op = nft_jansson_parse_str(root, "op"); + op = nft_jansson_parse_str(root, "op", err); if (op == NULL) return -1; @@ -198,7 +199,7 @@ static int nft_rule_expr_cmp_json_parse(struct nft_rule_expr *e, json_t *root) nft_rule_expr_set_u32(e, NFT_EXPR_CMP_OP, base); if (nft_jansson_data_reg_parse(root, "cmpdata", - &cmp->data) != DATA_VALUE) + &cmp->data, err) != DATA_VALUE) return -1; e->flags |= (1 << NFT_EXPR_CMP_DATA); @@ -210,21 +211,24 @@ static int nft_rule_expr_cmp_json_parse(struct nft_rule_expr *e, json_t *root) #endif } -static int nft_rule_expr_cmp_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +static int nft_rule_expr_cmp_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_cmp *cmp = nft_expr_data(e); const char *op; - int32_t reg, op_value; + int32_t op_value; + uint32_t reg; - reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND_FIRST); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "sreg", ®, MXML_DESCEND_FIRST, + NFT_XML_MAND, err) != 0) return -1; cmp->sreg = reg; e->flags |= (1 << NFT_EXPR_CMP_SREG); - op = nft_mxml_str_parse(tree, "op", MXML_DESCEND_FIRST, NFT_XML_MAND); + op = nft_mxml_str_parse(tree, "op", MXML_DESCEND_FIRST, NFT_XML_MAND, + err); if (op == NULL) return -1; @@ -236,7 +240,8 @@ static int nft_rule_expr_cmp_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre e->flags |= (1 << NFT_EXPR_CMP_OP); if (nft_mxml_data_reg_parse(tree, "cmpdata", - &cmp->data, NFT_XML_MAND) != DATA_VALUE) + &cmp->data, NFT_XML_MAND, + err) != DATA_VALUE) return -1; e->flags |= (1 << NFT_EXPR_CMP_DATA); diff --git a/src/expr/counter.c b/src/expr/counter.c index 4919a69..4bb7f1b 100644 --- a/src/expr/counter.c +++ b/src/expr/counter.c @@ -19,8 +19,8 @@ #include "internal.h" #include <libmnl/libmnl.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" struct nft_expr_counter { @@ -119,17 +119,18 @@ nft_rule_expr_counter_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int -nft_rule_expr_counter_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_counter_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING uint64_t uval64; - if (nft_jansson_parse_val(root, "pkts", NFT_TYPE_U64, &uval64) < 0) + if (nft_jansson_parse_val(root, "pkts", NFT_TYPE_U64, &uval64, err) < 0) return -1; nft_rule_expr_set_u64(e, NFT_EXPR_CTR_PACKETS, uval64); - if (nft_jansson_parse_val(root, "bytes", NFT_TYPE_U64, &uval64) < 0) + if (nft_jansson_parse_val(root, "bytes", NFT_TYPE_U64, &uval64, err) < 0) return -1; nft_rule_expr_set_u64(e, NFT_EXPR_CTR_BYTES, uval64); @@ -142,19 +143,22 @@ nft_rule_expr_counter_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_counter_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_counter_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_counter *ctr = nft_expr_data(e); if (nft_mxml_num_parse(tree, "pkts", MXML_DESCEND_FIRST, BASE_DEC, - &ctr->pkts, NFT_TYPE_U64, NFT_XML_MAND) != 0) + &ctr->pkts, NFT_TYPE_U64, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_CTR_PACKETS); if (nft_mxml_num_parse(tree, "bytes", MXML_DESCEND_FIRST, BASE_DEC, - &ctr->bytes, NFT_TYPE_U64, NFT_XML_MAND) != 0) + &ctr->bytes, NFT_TYPE_U64, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_CTR_BYTES); diff --git a/src/expr/ct.c b/src/expr/ct.c index 49d8495..2df761c 100644 --- a/src/expr/ct.c +++ b/src/expr/ct.c @@ -18,8 +18,8 @@ #include "internal.h" #include <libmnl/libmnl.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" struct nft_expr_ct { @@ -141,10 +141,6 @@ nft_rule_expr_ct_parse(struct nft_rule_expr *e, struct nlattr *attr) ct->key = ntohl(mnl_attr_get_u32(tb[NFTA_CT_KEY])); e->flags |= (1 << NFT_EXPR_CT_KEY); } - if (tb[NFTA_CT_DIRECTION]) { - ct->dir = mnl_attr_get_u8(tb[NFTA_CT_DIRECTION]); - e->flags |= (1 << NFT_EXPR_CT_DIR); - } if (tb[NFTA_CT_DREG]) { ct->dreg = ntohl(mnl_attr_get_u32(tb[NFTA_CT_DREG])); e->flags |= (1 << NFT_EXPR_CT_DREG); @@ -153,6 +149,10 @@ nft_rule_expr_ct_parse(struct nft_rule_expr *e, struct nlattr *attr) ct->sreg = ntohl(mnl_attr_get_u32(tb[NFTA_CT_SREG])); e->flags |= (1 << NFT_EXPR_CT_SREG); } + if (tb[NFTA_CT_DIRECTION]) { + ct->dir = mnl_attr_get_u8(tb[NFTA_CT_DIRECTION]); + e->flags |= (1 << NFT_EXPR_CT_DIR); + } return 0; } @@ -165,6 +165,7 @@ const char *ctkey2str_array[NFT_CT_MAX] = { [NFT_CT_SECMARK] = "secmark", [NFT_CT_EXPIRATION] = "expiration", [NFT_CT_HELPER] = "helper", + [NFT_CT_L3PROTOCOL] = "l3protocol", [NFT_CT_PROTOCOL] = "protocol", [NFT_CT_SRC] = "src", [NFT_CT_DST] = "dst", @@ -192,30 +193,58 @@ static inline int str2ctkey(const char *ctkey) return -1; } -static int nft_rule_expr_ct_json_parse(struct nft_rule_expr *e, json_t *root) +static const char *ctdir2str(uint8_t ctdir) +{ + switch (ctdir) { + case IP_CT_DIR_ORIGINAL: + return "original"; + case IP_CT_DIR_REPLY: + return "reply"; + default: + return "unknow"; + } +} + +static inline int str2ctdir(const char *str, uint8_t *ctdir) +{ + if (strcmp(str, "original") == 0) { + *ctdir = IP_CT_DIR_ORIGINAL; + return 0; + } + + if (strcmp(str, "reply") == 0) { + *ctdir = IP_CT_DIR_REPLY; + return 0; + } + + return -1; +} + +static int nft_rule_expr_ct_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING - const char *key_str; + const char *key_str, *dir_str; uint32_t reg; uint8_t dir; int key; if (nft_jansson_node_exist(root, "dreg")) { - if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_CT_DREG, reg); } if (nft_jansson_node_exist(root, "sreg")) { - if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_CT_SREG, reg); } if (nft_jansson_node_exist(root, "key")) { - key_str = nft_jansson_parse_str(root, "key"); + key_str = nft_jansson_parse_str(root, "key", err); if (key_str == NULL) return -1; @@ -228,11 +257,15 @@ static int nft_rule_expr_ct_json_parse(struct nft_rule_expr *e, json_t *root) } if (nft_jansson_node_exist(root, "dir")) { - if (nft_jansson_parse_val(root, "dir", NFT_TYPE_U8, &dir) < 0) + dir_str = nft_jansson_parse_str(root, "dir", err); + if (dir_str == NULL) return -1; - if (dir != IP_CT_DIR_ORIGINAL && dir != IP_CT_DIR_REPLY) + if (str2ctdir(dir_str, &dir) != 0) { + err->node_name = "dir"; + err->error = NFT_PARSE_EBADTYPE; goto err; + } nft_rule_expr_set_u8(e, NFT_EXPR_CT_DIR, dir); } @@ -248,29 +281,30 @@ err: } -static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_ct *ct = nft_expr_data(e); - const char *key_str; - int32_t reg; + const char *key_str, *dir_str; int key; uint8_t dir; + uint32_t reg; - reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND_FIRST); - if (reg >= 0) { + if (nft_mxml_reg_parse(tree, "dreg", ®, MXML_DESCEND_FIRST, + NFT_XML_OPT, err) >= 0) { ct->dreg = reg; e->flags |= (1 << NFT_EXPR_CT_DREG); } - reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND_FIRST); - if (reg >= 0) { + if (nft_mxml_reg_parse(tree, "sreg", ®, MXML_DESCEND_FIRST, + NFT_XML_OPT, err) >= 0) { ct->sreg = reg; e->flags |= (1 << NFT_EXPR_CT_SREG); } key_str = nft_mxml_str_parse(tree, "key", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (key_str == NULL) return -1; @@ -281,15 +315,17 @@ static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree ct->key = key; e->flags |= (1 << NFT_EXPR_CT_KEY); - if (nft_mxml_num_parse(tree, "dir", MXML_DESCEND_FIRST, BASE_DEC, - &dir, NFT_TYPE_U8, NFT_XML_MAND) != 0) - return -1; - - if (dir != IP_CT_DIR_ORIGINAL && dir != IP_CT_DIR_REPLY) - goto err; + dir_str = nft_mxml_str_parse(tree, "dir", MXML_DESCEND_FIRST, + NFT_XML_OPT, err); + if (dir_str != NULL) { + if (str2ctdir(dir_str, &dir) != 0) { + err->node_name = "dir"; + err->error = NFT_PARSE_EBADTYPE; + goto err; + } - ct->dir = dir; - e->flags |= (1 << NFT_EXPR_CT_DIR); + nft_rule_expr_set_u8(e, NFT_EXPR_CT_DIR, dir); + } return 0; err: @@ -302,21 +338,41 @@ err: } static int -nft_rule_expr_ct_snprintf_default(char *buf, size_t size, - struct nft_rule_expr *e) +nft_expr_ct_snprintf_json(char *buf, size_t size, struct nft_rule_expr *e) { + int ret, len = size, offset = 0; struct nft_expr_ct *ct = nft_expr_data(e); - if (e->flags & (1 << NFT_EXPR_CT_SREG)) - return snprintf(buf, size, "set %s with reg %u ", - ctkey2str(ct->key), ct->sreg); + if (e->flags & (1 << NFT_EXPR_CT_DREG)) { + ret = snprintf(buf+offset, len, "\"dreg\":%u,", ct->dreg); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + + if (e->flags & (1 << NFT_EXPR_CT_SREG)) { + ret = snprintf(buf+offset, len, "\"sreg:\":%u,", ct->sreg); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + + if (e->flags & (1 << NFT_EXPR_CT_KEY)) { + ret = snprintf(buf+offset, len, "\"key\":\"%s\",", + ctkey2str(ct->key)); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + + if (nft_rule_expr_is_set(e, NFT_EXPR_CT_DIR)) { + ret = snprintf(buf+offset, len, "\"dir\":\"%s\",", + ctdir2str(ct->dir)); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + + /* Remove the last separator characther */ + buf[offset-1] = '\0'; - return snprintf(buf, size, "load %s => reg %u dir %u ", - ctkey2str(ct->key), ct->dreg, ct->dir); + return offset-1; } static int -nft_rule_expr_ct_snprintf_xml(char *buf, size_t size, struct nft_rule_expr *e) +nft_expr_ct_snprintf_xml(char *buf, size_t size, struct nft_rule_expr *e) { int ret, len = size, offset = 0; struct nft_expr_ct *ct = nft_expr_data(e); @@ -337,8 +393,9 @@ nft_rule_expr_ct_snprintf_xml(char *buf, size_t size, struct nft_rule_expr *e) SNPRINTF_BUFFER_SIZE(ret, size, len, offset); } - if (e->flags & (1 << NFT_EXPR_CT_DIR)) { - ret = snprintf(buf+offset, len, "<dir>%u</dir>", ct->dir); + if (nft_rule_expr_is_set(e, NFT_EXPR_CT_DIR)) { + ret = snprintf(buf+offset, len, "<dir>%s</dir>", + ctdir2str(ct->dir)); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); } @@ -346,36 +403,30 @@ nft_rule_expr_ct_snprintf_xml(char *buf, size_t size, struct nft_rule_expr *e) } static int -nft_rule_expr_ct_snprintf_json(char *buf, size_t size, struct nft_rule_expr *e) +nft_expr_ct_snprintf_default(char *buf, size_t size, struct nft_rule_expr *e) { int ret, len = size, offset = 0; struct nft_expr_ct *ct = nft_expr_data(e); - if (e->flags & (1 << NFT_EXPR_CT_DREG)) { - ret = snprintf(buf+offset, len, "\"dreg\":%u,", ct->dreg); - SNPRINTF_BUFFER_SIZE(ret, size, len, offset); - } - if (e->flags & (1 << NFT_EXPR_CT_SREG)) { - ret = snprintf(buf+offset, len, "\"sreg:\":%u,", ct->sreg); + ret = snprintf(buf, size, "set %s with reg %u ", + ctkey2str(ct->key), ct->sreg); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); } - if (e->flags & (1 << NFT_EXPR_CT_KEY)) { - ret = snprintf(buf+offset, len, "\"key\":\"%s\",", - ctkey2str(ct->key)); + if (e->flags & (1 << NFT_EXPR_CT_DREG)) { + ret = snprintf(buf, len, "load %s => reg %u ", + ctkey2str(ct->key), ct->dreg); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); } - if (e->flags & (1 << NFT_EXPR_CT_DIR)) { - ret = snprintf(buf+offset, len, "\"dir\":%u,", ct->dir); + if (nft_rule_expr_is_set(e, NFT_EXPR_CT_DIR)) { + ret = snprintf(buf+offset, len, ", dir %s ", + ctdir2str(ct->dir)); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); } - /* Remove the last separator characther */ - buf[offset-1] = '\0'; - - return offset-1; + return offset; } static int @@ -384,11 +435,11 @@ nft_rule_expr_ct_snprintf(char *buf, size_t len, uint32_t type, { switch(type) { case NFT_OUTPUT_DEFAULT: - return nft_rule_expr_ct_snprintf_default(buf, len, e); + return nft_expr_ct_snprintf_default(buf, len, e); case NFT_OUTPUT_XML: - return nft_rule_expr_ct_snprintf_xml(buf, len, e); + return nft_expr_ct_snprintf_xml(buf, len, e); case NFT_OUTPUT_JSON: - return nft_rule_expr_ct_snprintf_json(buf, len, e); + return nft_expr_ct_snprintf_json(buf, len, e); default: break; } diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c index a198c67..0523cb7 100644 --- a/src/expr/data_reg.c +++ b/src/expr/data_reg.c @@ -18,82 +18,85 @@ #include <netinet/in.h> #include <libmnl/libmnl.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> -#include "internal.h" - #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> +#include "expr_ops.h" +#include "data_reg.h" +#include "internal.h" #ifdef JSON_PARSING -static int nft_data_reg_verdict_json_parse(union nft_data_reg *reg, json_t *data) +static int nft_data_reg_verdict_json_parse(union nft_data_reg *reg, json_t *data, + struct nft_parse_err *err) { int verdict; const char *verdict_str; + const char *chain; - verdict_str = nft_jansson_parse_str(data, "verdict"); + verdict_str = nft_jansson_parse_str(data, "verdict", err); if (verdict_str == NULL) - return -1; + return DATA_NONE; - verdict = nft_str2verdict(verdict_str); - if (verdict < 0) + if (nft_str2verdict(verdict_str, &verdict) != 0) { + err->node_name = "verdict"; + err->error = NFT_PARSE_EBADTYPE; + errno = EINVAL; return -1; + } reg->verdict = (uint32_t)verdict; - return 0; -} + if (nft_jansson_node_exist(data, "chain")) { + chain = nft_jansson_parse_str(data, "chain", err); + if (chain == NULL) + return DATA_NONE; -static int nft_data_reg_chain_json_parse(union nft_data_reg *reg, json_t *data) -{ - reg->chain = strdup(nft_jansson_parse_str(data, "chain")); - if (reg->chain == NULL) { - return -1; + reg->chain = strdup(chain); } - return 0; + return DATA_VERDICT; } -static int nft_data_reg_value_json_parse(union nft_data_reg *reg, json_t *data) +static int nft_data_reg_value_json_parse(union nft_data_reg *reg, json_t *data, + struct nft_parse_err *err) { int i; char node_name[6]; - if (nft_jansson_parse_val(data, "len", NFT_TYPE_U8, ®->len) < 0) - return -1; + if (nft_jansson_parse_val(data, "len", NFT_TYPE_U8, ®->len, err) < 0) + return DATA_NONE; for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) { sprintf(node_name, "data%d", i); if (nft_jansson_str2num(data, node_name, BASE_HEX, - ®->val[i], NFT_TYPE_U32) != 0) - return -1; + ®->val[i], NFT_TYPE_U32, err) != 0) + return DATA_NONE; } - return 0; + return DATA_VALUE; } #endif -int nft_data_reg_json_parse(union nft_data_reg *reg, json_t *data) +int nft_data_reg_json_parse(union nft_data_reg *reg, json_t *data, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *type; - type = nft_jansson_parse_str(data, "type"); + type = nft_jansson_parse_str(data, "type", err); if (type == NULL) return -1; /* Select what type of parsing is needed */ - if (strcmp(type, "value") == 0) { - return nft_data_reg_value_json_parse(reg, data); - } else if (strcmp(type, "verdict") == 0) { - return nft_data_reg_verdict_json_parse(reg, data); - } else if (strcmp(type, "chain") == 0) { - return nft_data_reg_chain_json_parse(reg, data); - } + if (strcmp(type, "value") == 0) + return nft_data_reg_value_json_parse(reg, data, err); + else if (strcmp(type, "verdict") == 0) + return nft_data_reg_verdict_json_parse(reg, data, err); - return 0; + return DATA_NONE; #else errno = EOPNOTSUPP; return -1; @@ -102,44 +105,42 @@ int nft_data_reg_json_parse(union nft_data_reg *reg, json_t *data) #ifdef XML_PARSING static int nft_data_reg_verdict_xml_parse(union nft_data_reg *reg, - mxml_node_t *tree) + mxml_node_t *tree, + struct nft_parse_err *err) { int verdict; const char *verdict_str; + const char *chain; verdict_str = nft_mxml_str_parse(tree, "verdict", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (verdict_str == NULL) return DATA_NONE; - verdict = nft_str2verdict(verdict_str); - if (verdict < 0) + if (nft_str2verdict(verdict_str, &verdict) != 0) { + err->node_name = "verdict"; + err->error = NFT_PARSE_EBADTYPE; + errno = EINVAL; return DATA_NONE; + } reg->verdict = (uint32_t)verdict; - return DATA_VERDICT; -} - -static int nft_data_reg_chain_xml_parse(union nft_data_reg *reg, - mxml_node_t *tree) -{ - const char *chain; - chain = nft_mxml_str_parse(tree, "chain", MXML_DESCEND_FIRST, - NFT_XML_MAND); - if (chain == NULL) - return DATA_NONE; + NFT_XML_OPT, err); + if (chain != NULL) { + if (reg->chain) + xfree(reg->chain); - if (reg->chain) - xfree(reg->chain); + reg->chain = strdup(chain); + } - reg->chain = strdup(chain); - return DATA_CHAIN; + return DATA_VERDICT; } static int nft_data_reg_value_xml_parse(union nft_data_reg *reg, - mxml_node_t *tree) + mxml_node_t *tree, + struct nft_parse_err *err) { int i; char node_name[6]; @@ -155,7 +156,7 @@ static int nft_data_reg_value_xml_parse(union nft_data_reg *reg, */ if (nft_mxml_num_parse(tree, "len", MXML_DESCEND_FIRST, BASE_DEC, - ®->len, NFT_TYPE_U8, NFT_XML_MAND) != 0) + ®->len, NFT_TYPE_U8, NFT_XML_MAND, err) != 0) return DATA_NONE; /* Get and set <dataN> */ @@ -164,7 +165,7 @@ static int nft_data_reg_value_xml_parse(union nft_data_reg *reg, if (nft_mxml_num_parse(tree, node_name, MXML_DESCEND_FIRST, BASE_HEX, ®->val[i], NFT_TYPE_U32, - NFT_XML_MAND) != 0) + NFT_XML_MAND, err) != 0) return DATA_NONE; } @@ -172,7 +173,8 @@ static int nft_data_reg_value_xml_parse(union nft_data_reg *reg, } #endif -int nft_data_reg_xml_parse(union nft_data_reg *reg, mxml_node_t *tree) +int nft_data_reg_xml_parse(union nft_data_reg *reg, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING const char *type; @@ -180,26 +182,25 @@ int nft_data_reg_xml_parse(union nft_data_reg *reg, mxml_node_t *tree) node = mxmlFindElement(tree, tree, "data_reg", "type", NULL, MXML_DESCEND_FIRST); - if (node == NULL) { - errno = EINVAL; - return DATA_NONE; - } + if (node == NULL) + goto err; type = mxmlElementGetAttr(node, "type"); - if (type == NULL) { - errno = EINVAL; - return DATA_NONE; - } + if (type == NULL) + goto err; if (strcmp(type, "value") == 0) - return nft_data_reg_value_xml_parse(reg, node); + return nft_data_reg_value_xml_parse(reg, node, err); else if (strcmp(type, "verdict") == 0) - return nft_data_reg_verdict_xml_parse(reg, node); - else if (strcmp(type, "chain") == 0) - return nft_data_reg_chain_xml_parse(reg, node); + return nft_data_reg_verdict_xml_parse(reg, node, err); return DATA_NONE; +err: + errno = EINVAL; + err->node_name = "data_reg"; + err->error = NFT_PARSE_EMISSINGNODE; + return DATA_NONE; #else errno = EOPNOTSUPP; return -1; @@ -293,6 +294,67 @@ nft_data_reg_value_snprintf_default(char *buf, size_t size, return offset; } +static int +nft_data_reg_verdict_snprintf_def(char *buf, size_t size, + union nft_data_reg *reg, uint32_t flags) +{ + int len = size, offset = 0, ret = 0; + + ret = snprintf(buf, size, "%s ", nft_verdict2str(reg->verdict)); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + + if (reg->chain != NULL) { + ret = snprintf(buf+offset, size, "-> %s ", reg->chain); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + + return offset; +} + +static int +nft_data_reg_verdict_snprintf_xml(char *buf, size_t size, + union nft_data_reg *reg, uint32_t flags) +{ + int len = size, offset = 0, ret = 0; + + ret = snprintf(buf, size, "<data_reg type=\"verdict\">" + "<verdict>%s</verdict>", nft_verdict2str(reg->verdict)); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + + if (reg->chain != NULL) { + ret = snprintf(buf+offset, size, "<chain>%s</chain>", + reg->chain); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + + ret = snprintf(buf+offset, size, "</data_reg>"); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + + return offset; +} + +static int +nft_data_reg_verdict_snprintf_json(char *buf, size_t size, + union nft_data_reg *reg, uint32_t flags) +{ + int len = size, offset = 0, ret = 0; + + ret = snprintf(buf, size, "\"data_reg\":{\"type\":\"verdict\"," + "\"verdict\":\"%s\"", nft_verdict2str(reg->verdict)); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + + if (reg->chain != NULL) { + ret = snprintf(buf+offset, size, ",\"chain\":\"%s\"", + reg->chain); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + + ret = snprintf(buf+offset, size, "}"); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + + return offset; +} + int nft_data_reg_snprintf(char *buf, size_t size, union nft_data_reg *reg, uint32_t output_format, uint32_t flags, int reg_type) { @@ -312,44 +374,24 @@ int nft_data_reg_snprintf(char *buf, size_t size, union nft_data_reg *reg, break; } case DATA_VERDICT: - switch(output_format) { - case NFT_OUTPUT_DEFAULT: - return snprintf(buf, size, "%d ", reg->verdict); - case NFT_OUTPUT_XML: - return snprintf(buf, size, - "<data_reg type=\"verdict\">" - "<verdict>%s</verdict>" - "</data_reg>", - nft_verdict2str(reg->verdict)); - case NFT_OUTPUT_JSON: - return snprintf(buf, size, - "\"data_reg\":{" - "\"type\":\"verdict\"," - "\"verdict\":\"%s\"" - "}", nft_verdict2str(reg->verdict)); - default: - break; - } case DATA_CHAIN: switch(output_format) { case NFT_OUTPUT_DEFAULT: - return snprintf(buf, size, "%s ", reg->chain); + return nft_data_reg_verdict_snprintf_def(buf, size, + reg, flags); case NFT_OUTPUT_XML: - return snprintf(buf, size, - "<data_reg type=\"chain\">" - "<chain>%s</chain>" - "</data_reg>", reg->chain); + return nft_data_reg_verdict_snprintf_xml(buf, size, + reg, flags); case NFT_OUTPUT_JSON: - return snprintf(buf, size, - "\"data_reg\":{\"type\":\"chain\"," - "\"chain\":\"%s\"" - "}", reg->chain); + return nft_data_reg_verdict_snprintf_json(buf, size, + reg, flags); default: break; } default: break; } + return -1; } diff --git a/src/expr/data_reg.h b/src/expr/data_reg.h index 8a6a235..5258051 100644 --- a/src/expr/data_reg.h +++ b/src/expr/data_reg.h @@ -29,8 +29,10 @@ union nft_data_reg { int nft_data_reg_snprintf(char *buf, size_t size, union nft_data_reg *reg, uint32_t output_format, uint32_t flags, int reg_type); -int nft_data_reg_xml_parse(union nft_data_reg *reg, mxml_node_t *tree); +int nft_data_reg_xml_parse(union nft_data_reg *reg, mxml_node_t *tree, + struct nft_parse_err *err); int nft_parse_data(union nft_data_reg *data, struct nlattr *attr, int *type); -int nft_data_reg_json_parse(union nft_data_reg *reg, json_t *data); +int nft_data_reg_json_parse(union nft_data_reg *reg, json_t *data, + struct nft_parse_err *err); #endif diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c index 6841ac1..66a6cf5 100644 --- a/src/expr/exthdr.c +++ b/src/expr/exthdr.c @@ -21,8 +21,8 @@ #include <linux/netfilter/nf_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" @@ -32,9 +32,9 @@ struct nft_expr_exthdr { enum nft_registers dreg; + uint32_t offset; + uint32_t len; uint8_t type; - unsigned int offset; - unsigned int len; }; static int @@ -51,10 +51,10 @@ nft_rule_expr_exthdr_set(struct nft_rule_expr *e, uint16_t type, exthdr->type = *((uint8_t *)data); break; case NFT_EXPR_EXTHDR_OFFSET: - exthdr->offset = *((unsigned int *)data); + exthdr->offset = *((uint32_t *)data); break; case NFT_EXPR_EXTHDR_LEN: - exthdr->len = *((unsigned int *)data); + exthdr->len = *((uint32_t *)data); break; default: return -1; @@ -193,19 +193,20 @@ static inline int str2exthdr_type(const char *str) } static int -nft_rule_expr_exthdr_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_exthdr_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *exthdr_type; uint32_t uval32; int type; - if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_EXTHDR_DREG, uval32); - exthdr_type = nft_jansson_parse_str(root, "exthdr_type"); + exthdr_type = nft_jansson_parse_str(root, "exthdr_type", err); if (exthdr_type == NULL) return -1; @@ -215,12 +216,12 @@ nft_rule_expr_exthdr_json_parse(struct nft_rule_expr *e, json_t *root) nft_rule_expr_set_u32(e, NFT_EXPR_EXTHDR_TYPE, type); - if (nft_jansson_parse_val(root, "offset", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "offset", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_EXTHDR_OFFSET, uval32); - if (nft_jansson_parse_val(root, "len", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "len", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_EXTHDR_LEN, uval32); @@ -233,23 +234,24 @@ nft_rule_expr_exthdr_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_exthdr_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_exthdr_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_exthdr *exthdr = nft_expr_data(e); const char *exthdr_type; - int32_t reg; int type; + uint32_t reg; - reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND_FIRST); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "dreg", ®, MXML_DESCEND_FIRST, + NFT_XML_MAND, err) != 0) return -1; exthdr->dreg = reg; e->flags |= (1 << NFT_EXPR_EXTHDR_DREG); exthdr_type = nft_mxml_str_parse(tree, "exthdr_type", - MXML_DESCEND_FIRST, NFT_XML_MAND); + MXML_DESCEND_FIRST, NFT_XML_MAND, err); if (exthdr_type == NULL) return -1; @@ -263,14 +265,15 @@ nft_rule_expr_exthdr_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) /* Get and set <offset> */ if (nft_mxml_num_parse(tree, "offset", MXML_DESCEND_FIRST, BASE_DEC, &exthdr->offset, NFT_TYPE_U32, - NFT_XML_MAND) != 0) + NFT_XML_MAND, err) != 0) return -1; e->flags |= (1 << NFT_EXPR_EXTHDR_OFFSET); /* Get and set <len> */ if (nft_mxml_num_parse(tree, "len", MXML_DESCEND_FIRST, BASE_DEC, - &exthdr->len, NFT_TYPE_U32, NFT_XML_MAND) != 0) + &exthdr->len, NFT_TYPE_U32, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_EXTHDR_LEN); diff --git a/src/expr/immediate.c b/src/expr/immediate.c index a96d3de..b3c52b8 100644 --- a/src/expr/immediate.c +++ b/src/expr/immediate.c @@ -17,8 +17,8 @@ #include "internal.h" #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" #include "data_reg.h" @@ -178,20 +178,21 @@ nft_rule_expr_immediate_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int -nft_rule_expr_immediate_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_immediate_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING struct nft_expr_immediate *imm = nft_expr_data(e); int datareg_type; uint32_t reg; - if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_IMM_DREG, reg); datareg_type = nft_jansson_data_reg_parse(root, "immediatedata", - &imm->data); + &imm->data, err); if (datareg_type < 0) return -1; @@ -217,22 +218,23 @@ nft_rule_expr_immediate_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_immediate_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_immediate_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_immediate *imm = nft_expr_data(e); int datareg_type; - int32_t reg; + uint32_t reg; - reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND_FIRST); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "dreg", ®, MXML_DESCEND_FIRST, + NFT_XML_MAND, err) != 0) return -1; imm->dreg = reg; e->flags |= (1 << NFT_EXPR_IMM_DREG); datareg_type = nft_mxml_data_reg_parse(tree, "immediatedata", - &imm->data, NFT_XML_MAND); + &imm->data, NFT_XML_MAND, err); switch (datareg_type) { case DATA_VALUE: e->flags |= (1 << NFT_EXPR_IMM_DATA); diff --git a/src/expr/limit.c b/src/expr/limit.c index 4854a77..7d10340 100644 --- a/src/expr/limit.c +++ b/src/expr/limit.c @@ -19,8 +19,8 @@ #include "internal.h" #include <libmnl/libmnl.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" struct nft_expr_limit { @@ -118,17 +118,18 @@ nft_rule_expr_limit_parse(struct nft_rule_expr *e, struct nlattr *attr) return 0; } -static int nft_rule_expr_limit_json_parse(struct nft_rule_expr *e, json_t *root) +static int nft_rule_expr_limit_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING uint64_t uval64; - if (nft_jansson_parse_val(root, "rate", NFT_TYPE_U64, &uval64) < 0) + if (nft_jansson_parse_val(root, "rate", NFT_TYPE_U64, &uval64, err) < 0) return -1; nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_RATE, uval64); - if (nft_jansson_parse_val(root, "unit", NFT_TYPE_U64, &uval64) < 0) + if (nft_jansson_parse_val(root, "unit", NFT_TYPE_U64, &uval64, err) < 0) return -1; nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_UNIT, uval64); @@ -140,19 +141,23 @@ static int nft_rule_expr_limit_json_parse(struct nft_rule_expr *e, json_t *root) #endif } -static int nft_rule_expr_limit_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +static int nft_rule_expr_limit_xml_parse(struct nft_rule_expr *e, + mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_limit *limit = nft_expr_data(e); if (nft_mxml_num_parse(tree, "rate", MXML_DESCEND_FIRST, BASE_DEC, - &limit->rate, NFT_TYPE_U64, NFT_XML_MAND) != 0) + &limit->rate, NFT_TYPE_U64, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_LIMIT_RATE); if (nft_mxml_num_parse(tree, "unit", MXML_DESCEND_FIRST, BASE_DEC, - &limit->unit, NFT_TYPE_U64, NFT_XML_MAND) != 0) + &limit->unit, NFT_TYPE_U64, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_LIMIT_UNIT); diff --git a/src/expr/log.c b/src/expr/log.c index 76657a9..5119c20 100644 --- a/src/expr/log.c +++ b/src/expr/log.c @@ -18,8 +18,8 @@ #include "internal.h" #include <libmnl/libmnl.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" struct nft_expr_log { @@ -160,31 +160,34 @@ nft_rule_expr_log_parse(struct nft_rule_expr *e, struct nlattr *attr) return 0; } -static int nft_rule_expr_log_json_parse(struct nft_rule_expr *e, json_t *root) +static int nft_rule_expr_log_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *prefix; uint32_t snaplen; uint16_t uval16; - prefix = nft_jansson_parse_str(root, "prefix"); + prefix = nft_jansson_parse_str(root, "prefix", err); if (prefix == NULL) return -1; nft_rule_expr_set_str(e, NFT_EXPR_LOG_PREFIX, prefix); - if (nft_jansson_parse_val(root, "group", NFT_TYPE_U16, &uval16) < 0) + if (nft_jansson_parse_val(root, "group", NFT_TYPE_U16, &uval16, + err) < 0) return -1; nft_rule_expr_set_u16(e, NFT_EXPR_LOG_GROUP, uval16); - if (nft_jansson_parse_val(root, "snaplen", NFT_TYPE_U32, &snaplen) < 0) + if (nft_jansson_parse_val(root, "snaplen", NFT_TYPE_U32, &snaplen, + err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_LOG_SNAPLEN, snaplen); if (nft_jansson_parse_val(root, "qthreshold", NFT_TYPE_U16, - &uval16) < 0) + &uval16, err) < 0) return -1; nft_rule_expr_set_u16(e, NFT_EXPR_LOG_QTHRESHOLD, uval16); @@ -196,14 +199,16 @@ static int nft_rule_expr_log_json_parse(struct nft_rule_expr *e, json_t *root) #endif } -static int nft_rule_expr_log_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +static int nft_rule_expr_log_xml_parse(struct nft_rule_expr *e, + mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_log *log = nft_expr_data(e); const char *prefix; prefix = nft_mxml_str_parse(tree, "prefix", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (prefix == NULL) return -1; @@ -211,20 +216,22 @@ static int nft_rule_expr_log_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre e->flags |= (1 << NFT_EXPR_LOG_PREFIX); if (nft_mxml_num_parse(tree, "group", MXML_DESCEND_FIRST, BASE_DEC, - &log->group, NFT_TYPE_U16, NFT_XML_MAND) != 0) + &log->group, NFT_TYPE_U16, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_LOG_GROUP); if (nft_mxml_num_parse(tree, "snaplen", MXML_DESCEND_FIRST, BASE_DEC, - &log->snaplen, NFT_TYPE_U32, NFT_XML_MAND) != 0) + &log->snaplen, NFT_TYPE_U32, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_LOG_SNAPLEN); if (nft_mxml_num_parse(tree, "qthreshold", MXML_DESCEND_FIRST, BASE_DEC, &log->qthreshold, - NFT_TYPE_U16, NFT_XML_MAND) != 0) + NFT_TYPE_U16, NFT_XML_MAND, err) != 0) return -1; e->flags |= (1 << NFT_EXPR_LOG_QTHRESHOLD); diff --git a/src/expr/lookup.c b/src/expr/lookup.c index 4e91cfb..5e0bf75 100644 --- a/src/expr/lookup.c +++ b/src/expr/lookup.c @@ -18,8 +18,8 @@ #include <errno.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> #include "data_reg.h" #include "expr_ops.h" @@ -143,24 +143,25 @@ nft_rule_expr_lookup_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int -nft_rule_expr_lookup_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_lookup_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *set_name; int32_t reg; - set_name = nft_jansson_parse_str(root, "set"); + set_name = nft_jansson_parse_str(root, "set", err); if (set_name == NULL) return -1; nft_rule_expr_set_str(e, NFT_EXPR_LOOKUP_SET, set_name); - if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_LOOKUP_SREG, reg); - if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_LOOKUP_DREG, reg); @@ -173,15 +174,16 @@ nft_rule_expr_lookup_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_lookup_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_lookup_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_lookup *lookup = nft_expr_data(e); const char *set_name; - int32_t reg; + uint32_t reg; set_name = nft_mxml_str_parse(tree, "set", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (set_name == NULL) return -1; @@ -189,19 +191,18 @@ nft_rule_expr_lookup_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) lookup->set_name[IFNAMSIZ-1] = '\0'; e->flags |= (1 << NFT_EXPR_LOOKUP_SET); - reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "sreg", ®, MXML_DESCEND, + NFT_XML_MAND, err) != 0) return -1; lookup->sreg = reg; e->flags |= (1 << NFT_EXPR_LOOKUP_SREG); - reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND); - if (reg < 0) - return -1; - - lookup->dreg = reg; - e->flags |= (1 << NFT_EXPR_LOOKUP_DREG); + if (nft_mxml_reg_parse(tree, "dreg", ®, MXML_DESCEND, + NFT_XML_OPT, err) == 0) { + lookup->dreg = reg; + e->flags |= (1 << NFT_EXPR_LOOKUP_DREG); + } return 0; #else @@ -212,41 +213,59 @@ nft_rule_expr_lookup_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) static int nft_rule_expr_lookup_snprintf_json(char *buf, size_t size, - struct nft_expr_lookup *l) + struct nft_rule_expr *e) { int len = size, offset = 0, ret; + struct nft_expr_lookup *l = nft_expr_data(e); - ret = snprintf(buf, len, "\"set\":\"%s\",\"sreg\":%u,\"dreg\":%u", - l->set_name, l->sreg, l->dreg); + ret = snprintf(buf, len, "\"set\":\"%s\",\"sreg\":%u", + l->set_name, l->sreg); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + if (e->flags & (1 << NFT_EXPR_LOOKUP_DREG)) { + ret = snprintf(buf+offset, len, ",\"dreg\":%u", l->dreg); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + return offset; } static int nft_rule_expr_lookup_snprintf_xml(char *buf, size_t size, - struct nft_expr_lookup *l) + struct nft_rule_expr *e) { int len = size, offset = 0, ret; + struct nft_expr_lookup *l = nft_expr_data(e); - ret = snprintf(buf, len, "<set>%s</set><sreg>%u</sreg><dreg>%u</dreg>", - l->set_name, l->sreg, l->dreg); + ret = snprintf(buf, len, "<set>%s</set><sreg>%u</sreg>", + l->set_name, l->sreg); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + if (e->flags & (1 << NFT_EXPR_LOOKUP_DREG)) { + ret = snprintf(buf+offset, len, "<dreg>%u</dreg>", l->dreg); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + return offset; } static int nft_rule_expr_lookup_snprintf_default(char *buf, size_t size, - struct nft_expr_lookup *l) + struct nft_rule_expr *e) { int len = size, offset = 0, ret; + struct nft_expr_lookup *l = nft_expr_data(e); - ret = snprintf(buf, len, "reg %u set %s dreg %u ", - l->sreg, l->set_name, l->dreg); + ret = snprintf(buf, len, "reg %u set %s ", l->sreg, l->set_name); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + + if (e->flags & (1 << NFT_EXPR_LOOKUP_DREG)) { + ret = snprintf(buf+offset, len, "dreg %u ", l->dreg); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + return offset; } @@ -254,15 +273,14 @@ static int nft_rule_expr_lookup_snprintf(char *buf, size_t size, uint32_t type, uint32_t flags, struct nft_rule_expr *e) { - struct nft_expr_lookup *lookup = nft_expr_data(e); switch(type) { case NFT_OUTPUT_DEFAULT: - return nft_rule_expr_lookup_snprintf_default(buf, size, lookup); + return nft_rule_expr_lookup_snprintf_default(buf, size, e); case NFT_OUTPUT_XML: - return nft_rule_expr_lookup_snprintf_xml(buf, size, lookup); + return nft_rule_expr_lookup_snprintf_xml(buf, size, e); case NFT_OUTPUT_JSON: - return nft_rule_expr_lookup_snprintf_json(buf, size, lookup); + return nft_rule_expr_lookup_snprintf_json(buf, size, e); default: break; } diff --git a/src/expr/match.c b/src/expr/match.c index c7863b8..9f2fa03 100644 --- a/src/expr/match.c +++ b/src/expr/match.c @@ -22,8 +22,8 @@ #include <linux/netfilter/nf_tables_compat.h> #include <linux/netfilter/x_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" @@ -170,12 +170,13 @@ static int nft_rule_expr_match_parse(struct nft_rule_expr *e, struct nlattr *att return 0; } -static int nft_rule_expr_match_json_parse(struct nft_rule_expr *e, json_t *root) +static int nft_rule_expr_match_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *name; - name = nft_jansson_parse_str(root, "name"); + name = nft_jansson_parse_str(root, "name", err); if (name == NULL) return -1; @@ -189,14 +190,15 @@ static int nft_rule_expr_match_json_parse(struct nft_rule_expr *e, json_t *root) } -static int nft_rule_expr_match_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +static int nft_rule_expr_match_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_match *mt = nft_expr_data(e); const char *name; name = nft_mxml_str_parse(tree, "name", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (name == NULL) return -1; diff --git a/src/expr/meta.c b/src/expr/meta.c index f96b081..bee2f4c 100644 --- a/src/expr/meta.c +++ b/src/expr/meta.c @@ -18,8 +18,8 @@ #include "internal.h" #include <libmnl/libmnl.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" #ifndef NFT_META_MAX @@ -27,9 +27,9 @@ #endif struct nft_expr_meta { - uint32_t key; /* enum nft_meta_keys */ - uint32_t dreg; /* enum nft_registers */ - uint32_t sreg; /* enum nft_registers */ + enum nft_meta_keys key; + enum nft_registers dreg; + enum nft_registers sreg; }; static int @@ -135,7 +135,7 @@ nft_rule_expr_meta_parse(struct nft_rule_expr *e, struct nlattr *attr) return 0; } -const char *meta_key2str_array[NFT_META_MAX] = { +static const char *meta_key2str_array[NFT_META_MAX] = { [NFT_META_LEN] = "len", [NFT_META_PROTOCOL] = "protocol", [NFT_META_NFPROTO] = "nfproto", @@ -176,14 +176,15 @@ static inline int str2meta_key(const char *str) return -1; } -static int nft_rule_expr_meta_json_parse(struct nft_rule_expr *e, json_t *root) +static int nft_rule_expr_meta_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *key_str; - uint32_t reg, sreg; + uint32_t reg; int key; - key_str = nft_jansson_parse_str(root, "key"); + key_str = nft_jansson_parse_str(root, "key", err); if (key_str == NULL) return -1; @@ -194,18 +195,19 @@ static int nft_rule_expr_meta_json_parse(struct nft_rule_expr *e, json_t *root) nft_rule_expr_set_u32(e, NFT_EXPR_META_KEY, key); if (nft_jansson_node_exist(root, "dreg")) { - if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®, + err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_META_DREG, reg); } if (nft_jansson_node_exist(root, "sreg")) { - if (nft_jansson_parse_reg(root, "sreg", - NFT_TYPE_U32, &sreg) < 0) + if (nft_jansson_parse_reg(root, "sreg", NFT_TYPE_U32, ®, + err) < 0) return -1; - nft_rule_expr_set_u32(e, NFT_EXPR_META_SREG, sreg); + nft_rule_expr_set_u32(e, NFT_EXPR_META_SREG, reg); } return 0; @@ -216,16 +218,17 @@ static int nft_rule_expr_meta_json_parse(struct nft_rule_expr *e, json_t *root) } -static int nft_rule_expr_meta_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +static int nft_rule_expr_meta_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_meta *meta = nft_expr_data(e); const char *key_str; - int32_t reg; int key; + uint32_t reg; key_str = nft_mxml_str_parse(tree, "key", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (key_str == NULL) return -1; @@ -236,14 +239,14 @@ static int nft_rule_expr_meta_xml_parse(struct nft_rule_expr *e, mxml_node_t *tr meta->key = key; e->flags |= (1 << NFT_EXPR_META_KEY); - reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND_FIRST); - if (reg >= 0) { + if (nft_mxml_reg_parse(tree, "dreg", ®, MXML_DESCEND_FIRST, + NFT_XML_OPT, err) >= 0) { meta->dreg = reg; e->flags |= (1 << NFT_EXPR_META_DREG); } - reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND_FIRST); - if (reg >= 0) { + if (nft_mxml_reg_parse(tree, "sreg", ®, MXML_DESCEND_FIRST, + NFT_XML_OPT, err) >= 0) { meta->sreg = reg; e->flags |= (1 << NFT_EXPR_META_SREG); } @@ -261,12 +264,15 @@ nft_rule_expr_meta_snprintf_default(char *buf, size_t len, { struct nft_expr_meta *meta = nft_expr_data(e); - if (e->flags & (1 << NFT_EXPR_META_SREG)) + if (e->flags & (1 << NFT_EXPR_META_SREG)) { return snprintf(buf, len, "set %s with reg %u ", meta_key2str(meta->key), meta->sreg); - - return snprintf(buf, len, "load %s => reg %u ", - meta_key2str(meta->key), meta->dreg); + } + if (e->flags & (1 << NFT_EXPR_META_DREG)) { + return snprintf(buf, len, "load %s => reg %u ", + meta_key2str(meta->key), meta->dreg); + } + return 0; } static int @@ -276,6 +282,12 @@ nft_rule_expr_meta_snprintf_xml(char *buf, size_t size, int ret, len = size, offset = 0; struct nft_expr_meta *meta = nft_expr_data(e); + if (e->flags & (1 << NFT_EXPR_META_DREG)) { + ret = snprintf(buf+offset, len, "<dreg>%u</dreg>", + meta->dreg); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + if (e->flags & (1 << NFT_EXPR_META_KEY)) { ret = snprintf(buf+offset, len, "<key>%s</key>", meta_key2str(meta->key)); @@ -288,12 +300,6 @@ nft_rule_expr_meta_snprintf_xml(char *buf, size_t size, SNPRINTF_BUFFER_SIZE(ret, size, len, offset); } - if (e->flags & (1 << NFT_EXPR_META_DREG)) { - ret = snprintf(buf+offset, len, "<dreg>%u</dreg>", - meta->dreg); - SNPRINTF_BUFFER_SIZE(ret, size, len, offset); - } - return offset; } @@ -304,6 +310,12 @@ nft_rule_expr_meta_snprintf_json(char *buf, size_t size, int ret, len = size, offset = 0; struct nft_expr_meta *meta = nft_expr_data(e); + if (e->flags & (1 << NFT_EXPR_META_DREG)) { + ret = snprintf(buf+offset, len, "\"dreg\":%u,", + meta->dreg); + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + if (e->flags & (1 << NFT_EXPR_META_KEY)) { ret = snprintf(buf+offset, len, "\"key\":\"%s\",", meta_key2str(meta->key)); @@ -311,17 +323,11 @@ nft_rule_expr_meta_snprintf_json(char *buf, size_t size, } if (e->flags & (1 << NFT_EXPR_META_SREG)) { - ret = snprintf(buf+offset, len, "\"sreg\":%u\",", + ret = snprintf(buf+offset, len, "\"sreg\":%u,", meta->sreg); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); } - if (e->flags & (1 << NFT_EXPR_META_DREG)) { - ret = snprintf(buf+offset, len, "\"dreg\":%u\",", - meta->dreg); - SNPRINTF_BUFFER_SIZE(ret, size, len, offset); - } - /* Remove the last separator characther */ buf[offset-1] = '\0'; diff --git a/src/expr/nat.c b/src/expr/nat.c index 30b02ec..42f2b49 100644 --- a/src/expr/nat.c +++ b/src/expr/nat.c @@ -20,8 +20,8 @@ #include <arpa/inet.h> #include <libmnl/libmnl.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" struct nft_expr_nat { @@ -196,14 +196,15 @@ static inline int nft_str2nat(const char *nat) } } -static int nft_rule_expr_nat_json_parse(struct nft_rule_expr *e, json_t *root) +static int nft_rule_expr_nat_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *nat_type, *family_str; uint32_t reg; int val32; - nat_type = nft_jansson_parse_str(root, "nat_type"); + nat_type = nft_jansson_parse_str(root, "nat_type", err); if (nat_type == NULL) return -1; @@ -213,7 +214,7 @@ static int nft_rule_expr_nat_json_parse(struct nft_rule_expr *e, json_t *root) nft_rule_expr_set_u32(e, NFT_EXPR_NAT_TYPE, val32); - family_str = nft_jansson_parse_str(root, "family"); + family_str = nft_jansson_parse_str(root, "family", err); if (family_str == NULL) return -1; @@ -224,25 +225,25 @@ static int nft_rule_expr_nat_json_parse(struct nft_rule_expr *e, json_t *root) nft_rule_expr_set_u32(e, NFT_EXPR_NAT_FAMILY, val32); if (nft_jansson_parse_reg(root, "sreg_addr_min", NFT_TYPE_U32, - ®) < 0) + ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_NAT_REG_ADDR_MIN, reg); if (nft_jansson_parse_reg(root, "sreg_addr_max", NFT_TYPE_U32, - ®) < 0) + ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_NAT_REG_ADDR_MAX, reg); if (nft_jansson_parse_reg(root, "sreg_proto_min", NFT_TYPE_U32, - ®) < 0) + ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_NAT_REG_PROTO_MIN, reg); if (nft_jansson_parse_reg(root, "sreg_proto_max", NFT_TYPE_U32, - ®) < 0) + ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_NAT_REG_PROTO_MAX, reg); @@ -254,16 +255,17 @@ static int nft_rule_expr_nat_json_parse(struct nft_rule_expr *e, json_t *root) #endif } -static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_nat *nat = nft_expr_data(e); const char *nat_type; - int32_t reg; int family, nat_type_value; + uint32_t reg; nat_type = nft_mxml_str_parse(tree, "type", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (nat_type == NULL) return -1; @@ -275,7 +277,7 @@ static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre e->flags |= (1 << NFT_EXPR_NAT_TYPE); family = nft_mxml_family_parse(tree, "family", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (family < 0) { mxmlDelete(tree); return -1; @@ -284,29 +286,29 @@ static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre nat->family = family; e->flags |= (1 << NFT_EXPR_NAT_FAMILY); - reg = nft_mxml_reg_parse(tree, "sreg_addr_min", MXML_DESCEND); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "sreg_addr_min", ®, + MXML_DESCEND, NFT_XML_MAND, err) != 0) return -1; nat->sreg_addr_min = reg; e->flags |= (1 << NFT_EXPR_NAT_REG_ADDR_MIN); - reg = nft_mxml_reg_parse(tree, "sreg_addr_max", MXML_DESCEND); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "sreg_addr_max", ®, + MXML_DESCEND, NFT_XML_MAND, err) != 0) return -1; nat->sreg_addr_max = reg; e->flags |= (1 << NFT_EXPR_NAT_REG_ADDR_MAX); - reg = nft_mxml_reg_parse(tree, "sreg_proto_min", MXML_DESCEND); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "sreg_proto_min", ®, + MXML_DESCEND, NFT_XML_MAND, err) != 0) return -1; nat->sreg_proto_min = reg; e->flags |= (1 << NFT_EXPR_NAT_REG_PROTO_MIN); - reg = nft_mxml_reg_parse(tree, "sreg_proto_max", MXML_DESCEND); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "sreg_proto_max", ®, + MXML_DESCEND, NFT_XML_MAND, err) != 0) return -1; nat->sreg_proto_max = reg; diff --git a/src/expr/payload.c b/src/expr/payload.c index fc32ff2..ad82015 100644 --- a/src/expr/payload.c +++ b/src/expr/payload.c @@ -21,16 +21,16 @@ #include <linux/netfilter/nf_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" struct nft_expr_payload { enum nft_registers dreg; enum nft_payload_bases base; - unsigned int offset; - unsigned int len; + uint32_t offset; + uint32_t len; }; static int @@ -194,19 +194,20 @@ static inline int nft_str2base(const char *base) } static int -nft_rule_expr_payload_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_payload_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *base_str; uint32_t reg, uval32; int base; - if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®) < 0) + if (nft_jansson_parse_reg(root, "dreg", NFT_TYPE_U32, ®, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_DREG, reg); - base_str = nft_jansson_parse_str(root, "base"); + base_str = nft_jansson_parse_str(root, "base", err); if (base_str == NULL) return -1; @@ -216,12 +217,13 @@ nft_rule_expr_payload_json_parse(struct nft_rule_expr *e, json_t *root) nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_BASE, base); - if (nft_jansson_parse_val(root, "offset", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "offset", NFT_TYPE_U32, &uval32, + err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_OFFSET, uval32); - if (nft_jansson_parse_val(root, "len", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "len", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_LEN, uval32); @@ -234,22 +236,24 @@ nft_rule_expr_payload_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_payload *payload = nft_expr_data(e); const char *base_str; - int32_t reg, base; + int32_t base; + uint32_t reg; - reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND_FIRST); - if (reg < 0) + if (nft_mxml_reg_parse(tree, "dreg", ®, MXML_DESCEND_FIRST, + NFT_XML_MAND, err) != 0) return -1; payload->dreg = reg; e->flags |= (1 << NFT_EXPR_PAYLOAD_DREG); base_str = nft_mxml_str_parse(tree, "base", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (base_str == NULL) return -1; @@ -262,13 +266,14 @@ nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) if (nft_mxml_num_parse(tree, "offset", MXML_DESCEND_FIRST, BASE_DEC, &payload->offset, NFT_TYPE_U8, - NFT_XML_MAND) != 0) + NFT_XML_MAND, err) != 0) return -1; e->flags |= (1 << NFT_EXPR_PAYLOAD_OFFSET); if (nft_mxml_num_parse(tree, "len", MXML_DESCEND_FIRST, BASE_DEC, - &payload->len, NFT_TYPE_U8, NFT_XML_MAND) != 0) + &payload->len, NFT_TYPE_U8, + NFT_XML_MAND, err) != 0) return -1; e->flags |= (1 << NFT_EXPR_PAYLOAD_LEN); diff --git a/src/expr/queue.c b/src/expr/queue.c index 4c1c8a7..c3d0e19 100644 --- a/src/expr/queue.c +++ b/src/expr/queue.c @@ -17,8 +17,8 @@ #include "internal.h" #include <libmnl/libmnl.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" struct nft_expr_queue { diff --git a/src/expr/reject.c b/src/expr/reject.c index 848f004..62346e9 100644 --- a/src/expr/reject.c +++ b/src/expr/reject.c @@ -18,8 +18,8 @@ #include "internal.h" #include <libmnl/libmnl.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" struct nft_expr_reject { @@ -122,18 +122,19 @@ nft_rule_expr_reject_parse(struct nft_rule_expr *e, struct nlattr *attr) } static int -nft_rule_expr_reject_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_reject_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING uint32_t type; uint16_t code; - if (nft_jansson_parse_val(root, "type", NFT_TYPE_U32, &type) < 0) + if (nft_jansson_parse_val(root, "type", NFT_TYPE_U32, &type, err) < 0) return -1; nft_rule_expr_set_u32(e, NFT_EXPR_REJECT_TYPE, type); - if (nft_jansson_parse_val(root, "code", NFT_TYPE_U8, &code) < 0) + if (nft_jansson_parse_val(root, "code", NFT_TYPE_U8, &code, err) < 0) return -1; nft_rule_expr_set_u8(e, NFT_EXPR_REJECT_CODE, code); @@ -146,19 +147,22 @@ nft_rule_expr_reject_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_reject_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_reject_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_reject *reject = nft_expr_data(e); if (nft_mxml_num_parse(tree, "type", MXML_DESCEND_FIRST, BASE_DEC, - &reject->type, NFT_TYPE_U32, NFT_XML_MAND) != 0) + &reject->type, NFT_TYPE_U32, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_REJECT_TYPE); if (nft_mxml_num_parse(tree, "code", MXML_DESCEND_FIRST, BASE_DEC, - &reject->icmp_code, NFT_TYPE_U8, NFT_XML_MAND) != 0) + &reject->icmp_code, NFT_TYPE_U8, NFT_XML_MAND, + err) != 0) return -1; e->flags |= (1 << NFT_EXPR_REJECT_CODE); diff --git a/src/expr/target.c b/src/expr/target.c index 23dff3a..36e37de 100644 --- a/src/expr/target.c +++ b/src/expr/target.c @@ -22,8 +22,8 @@ #include <linux/netfilter/nf_tables_compat.h> #include <linux/netfilter/x_tables.h> -#include <libnftables/expr.h> -#include <libnftables/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> #include "expr_ops.h" @@ -171,12 +171,13 @@ static int nft_rule_expr_target_parse(struct nft_rule_expr *e, struct nlattr *at } static int -nft_rule_expr_target_json_parse(struct nft_rule_expr *e, json_t *root) +nft_rule_expr_target_json_parse(struct nft_rule_expr *e, json_t *root, + struct nft_parse_err *err) { #ifdef JSON_PARSING const char *name; - name = nft_jansson_parse_str(root, "name"); + name = nft_jansson_parse_str(root, "name", err); if (name == NULL) return -1; @@ -190,14 +191,15 @@ nft_rule_expr_target_json_parse(struct nft_rule_expr *e, json_t *root) } static int -nft_rule_expr_target_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree) +nft_rule_expr_target_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err) { #ifdef XML_PARSING struct nft_expr_target *tg = nft_expr_data(e); const char *name; name = nft_mxml_str_parse(tree, "name", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (name == NULL) return -1; diff --git a/src/expr_ops.h b/src/expr_ops.h index 26e0b82..b06f575 100644 --- a/src/expr_ops.h +++ b/src/expr_ops.h @@ -29,8 +29,10 @@ struct expr_ops { int (*parse)(struct nft_rule_expr *e, struct nlattr *attr); void (*build)(struct nlmsghdr *nlh, struct nft_rule_expr *e); int (*snprintf)(char *buf, size_t len, uint32_t type, uint32_t flags, struct nft_rule_expr *e); - int (*xml_parse)(struct nft_rule_expr *e, mxml_node_t *tree); - int (*json_parse)(struct nft_rule_expr *e, json_t *data); + int (*xml_parse)(struct nft_rule_expr *e, mxml_node_t *tree, + struct nft_parse_err *err); + int (*json_parse)(struct nft_rule_expr *e, json_t *data, + struct nft_parse_err *err); }; void nft_expr_ops_register(struct expr_ops *ops); diff --git a/src/internal.h b/src/internal.h index a10d874..a3fc46f 100644 --- a/src/internal.h +++ b/src/internal.h @@ -13,6 +13,7 @@ #include <stdint.h> #include <stdbool.h> +#include <libnftnl/common.h> #define BASE_DEC 10 #define BASE_HEX 16 @@ -30,64 +31,107 @@ enum nft_type { NFT_TYPE_S64, }; +struct nft_parse_err { + int line; + int column; + int error; + const char *node_name; +}; + +enum nft_parse_input { + NFT_PARSE_BUFFER, + NFT_PARSE_FILE, +}; + #ifdef XML_PARSING #include <mxml.h> #define NFT_XML_MAND 0 #define NFT_XML_OPT (1 << 0) -mxml_node_t *nft_mxml_build_tree(const char *xml, const char *treename); -struct nft_rule_expr *nft_mxml_expr_parse(mxml_node_t *node); -int nft_mxml_reg_parse(mxml_node_t *tree, const char *reg_name, uint32_t flags); +mxml_node_t *nft_mxml_build_tree(const void *data, const char *treename, + struct nft_parse_err *err, enum nft_parse_input input); +struct nft_rule_expr *nft_mxml_expr_parse(mxml_node_t *node, + struct nft_parse_err *err); +int nft_mxml_reg_parse(mxml_node_t *tree, const char *reg_name, uint32_t *reg, + uint32_t mxmlflags, uint32_t flags, + struct nft_parse_err *err); union nft_data_reg; -int nft_mxml_data_reg_parse(mxml_node_t *tree, const char *node_name, union nft_data_reg *data_reg, uint16_t flags); -int nft_mxml_num_parse(mxml_node_t *tree, const char *node_name, uint32_t mxml_flags, int base, void *number, enum nft_type type, uint16_t flags); -const char *nft_mxml_str_parse(mxml_node_t *tree, const char *node_name, uint32_t mxml_flags, uint16_t flags); -int nft_mxml_family_parse(mxml_node_t *tree, const char *node_name, uint32_t mxml_flags, uint16_t flags); +int nft_mxml_data_reg_parse(mxml_node_t *tree, const char *node_name, + union nft_data_reg *data_reg, uint16_t flags, + struct nft_parse_err *err); +int nft_mxml_num_parse(mxml_node_t *tree, const char *node_name, + uint32_t mxml_flags, int base, void *number, + enum nft_type type, uint16_t flags, + struct nft_parse_err *err); +const char *nft_mxml_str_parse(mxml_node_t *tree, const char *node_name, + uint32_t mxml_flags, uint16_t flags, + struct nft_parse_err *err); +int nft_mxml_family_parse(mxml_node_t *tree, const char *node_name, + uint32_t mxml_flags, uint16_t flags, + struct nft_parse_err *err); struct nft_set_elem; -int nft_mxml_set_elem_parse(mxml_node_t *node, struct nft_set_elem *e); +int nft_mxml_set_elem_parse(mxml_node_t *node, struct nft_set_elem *e, + struct nft_parse_err *err); struct nft_table; -int nft_mxml_table_parse(mxml_node_t *tree, struct nft_table *t); +int nft_mxml_table_parse(mxml_node_t *tree, struct nft_table *t, + struct nft_parse_err *err); struct nft_chain; -int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c); +int nft_mxml_chain_parse(mxml_node_t *tree, struct nft_chain *c, + struct nft_parse_err *err); struct nft_rule; -int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r); +int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r, + struct nft_parse_err *err); struct nft_set; -int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s); +int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s, + struct nft_parse_err *err); #endif #ifdef JSON_PARSING #include <jansson.h> -int nft_jansson_parse_val(json_t *root, const char *tag, int type, void *out); -const char *nft_jansson_parse_str(json_t *root, const char *tag); -bool nft_jansson_node_exist(json_t *root, const char *tag); -json_t *nft_jansson_create_root(const char *json, json_error_t *err); -json_t *nft_jansson_get_node(json_t *root, const char *tag); + +int nft_jansson_parse_val(json_t *root, const char *node_name, int type, + void *out, struct nft_parse_err *err); +const char *nft_jansson_parse_str(json_t *root, const char *node_name, + struct nft_parse_err *err); +bool nft_jansson_node_exist(json_t *root, const char *node_name); +json_t *nft_jansson_create_root(const void *json, json_error_t *error, + struct nft_parse_err *err, enum nft_parse_input input); +json_t *nft_jansson_get_node(json_t *root, const char *node_name, + struct nft_parse_err *err); void nft_jansson_free_root(json_t *root); -int nft_jansson_parse_family(json_t *root, void *out); -int nft_jansson_str2num(json_t *root, const char *tag, int base, void *out, - enum nft_type type); -int nft_jansson_parse_reg(json_t *root, const char *tag, int type, void *out); -struct nft_rule_expr *nft_jansson_expr_parse(json_t *root); +int nft_jansson_parse_family(json_t *root, void *out, struct nft_parse_err *err); +int nft_jansson_str2num(json_t *root, const char *node_name, int base, void *out, + enum nft_type type, struct nft_parse_err *err); +int nft_jansson_parse_reg(json_t *root, const char *node_name, int type, + void *out, struct nft_parse_err *err); +struct nft_rule_expr *nft_jansson_expr_parse(json_t *root, + struct nft_parse_err *err); union nft_data_reg; -int nft_jansson_data_reg_parse(json_t *root, const char *tag, - union nft_data_reg *data_reg); +int nft_jansson_data_reg_parse(json_t *root, const char *node_name, + union nft_data_reg *data_reg, + struct nft_parse_err *err); struct nft_set_elem; -int nft_set_elem_json_parse(struct nft_set_elem *e, json_t *root); +int nft_jansson_set_elem_parse(struct nft_set_elem *e, json_t *root, + struct nft_parse_err *err); struct nft_table; -int nft_jansson_parse_table(struct nft_table *t, json_t *tree); +int nft_jansson_parse_table(struct nft_table *t, json_t *tree, + struct nft_parse_err *err); struct nft_chain; -int nft_jansson_parse_chain(struct nft_chain *c, json_t *tree); +int nft_jansson_parse_chain(struct nft_chain *c, json_t *tree, + struct nft_parse_err *err); struct nft_rule; -int nft_jansson_parse_rule(struct nft_rule *r, json_t *tree); +int nft_jansson_parse_rule(struct nft_rule *r, json_t *tree, + struct nft_parse_err *err); struct nft_set; -int nft_jansson_parse_set(struct nft_set *s, json_t *tree); +int nft_jansson_parse_set(struct nft_set *s, json_t *tree, + struct nft_parse_err *err); #endif const char *nft_family2str(uint32_t family); int nft_str2family(const char *family); int nft_strtoi(const char *string, int base, void *number, enum nft_type type); const char *nft_verdict2str(uint32_t verdict); -int nft_str2verdict(const char *verdict); +int nft_str2verdict(const char *verdict, int *verdict_num); int nft_get_value(enum nft_type type, void *val, void *out); #include <stdio.h> diff --git a/src/jansson.c b/src/jansson.c index 04146e2..5107eb5 100644 --- a/src/jansson.c +++ b/src/jansson.c @@ -16,25 +16,29 @@ #include <errno.h> #include <string.h> #include "expr_ops.h" -#include <libnftables/set.h> +#include <libnftnl/set.h> -#include <libnftables/expr.h> +#include <libnftnl/expr.h> #include <linux/netfilter/nf_tables.h> #ifdef JSON_PARSING -static int nft_jansson_load_int_node(json_t *root, const char *tag, - json_int_t *val) +static int nft_jansson_load_int_node(json_t *root, const char *node_name, + json_int_t *val, struct nft_parse_err *err) { json_t *node; - node = json_object_get(root, tag); + node = json_object_get(root, node_name); if (node == NULL) { + err->error = NFT_PARSE_EMISSINGNODE; + err->node_name = node_name; errno = EINVAL; return -1; } if (!json_is_integer(node)) { + err->error = NFT_PARSE_EBADTYPE; + err->node_name = node_name; errno = ERANGE; return -1; } @@ -43,26 +47,35 @@ static int nft_jansson_load_int_node(json_t *root, const char *tag, return 0; } -const char *nft_jansson_parse_str(json_t *root, const char *tag) +const char *nft_jansson_parse_str(json_t *root, const char *node_name, + struct nft_parse_err *err) { json_t *node; const char *val; - node = json_object_get(root, tag); + node = json_object_get(root, node_name); if (node == NULL) { + err->error = NFT_PARSE_EMISSINGNODE; + err->node_name = node_name; errno = EINVAL; return NULL; } + val = json_string_value(node); + if (val == NULL) { + err->error = NFT_PARSE_EBADTYPE; + err->node_name = node_name; + } return val; } -int nft_jansson_parse_val(json_t *root, const char *tag, int type, void *out) +int nft_jansson_parse_val(json_t *root, const char *node_name, int type, + void *out, struct nft_parse_err *err) { json_int_t val; - if (nft_jansson_load_int_node(root, tag, &val) == -1) + if (nft_jansson_load_int_node(root, node_name, &val, err) == -1) return -1; if (nft_get_value(type, &val, out) == -1) @@ -71,30 +84,50 @@ int nft_jansson_parse_val(json_t *root, const char *tag, int type, void *out) return 0; } -bool nft_jansson_node_exist(json_t *root, const char *tag) +bool nft_jansson_node_exist(json_t *root, const char *node_name) { - return json_object_get(root, tag) != NULL; + return json_object_get(root, node_name) != NULL; } -json_t *nft_jansson_create_root(const char *json, json_error_t *err) +json_t *nft_jansson_create_root(const void *json, json_error_t *error, + struct nft_parse_err *err, enum nft_parse_input input) { json_t *root; - root = json_loadb(json, strlen(json), 0, err); + switch (input) { + case NFT_PARSE_BUFFER: + root = json_loadb(json, strlen(json), 0, error); + break; + case NFT_PARSE_FILE: + root = json_loadf((FILE *)json, 0, error); + break; + default: + goto err; + } + if (root == NULL) { - errno = EINVAL; - return NULL; + err->error = NFT_PARSE_EBADINPUT; + err->line = error->line; + err->column = error->column; + err->node_name = error->source; + goto err; } return root; +err: + errno = EINVAL; + return NULL; } -json_t *nft_jansson_get_node(json_t *root, const char *tag) +json_t *nft_jansson_get_node(json_t *root, const char *node_name, + struct nft_parse_err *err) { json_t *node; - node = json_object_get(root, tag); + node = json_object_get(root, node_name); if (node == NULL) { + err->error = NFT_PARSE_EMISSINGNODE; + err->node_name = node_name; errno = EINVAL; return NULL; } @@ -107,17 +140,18 @@ void nft_jansson_free_root(json_t *root) json_decref(root); } -int nft_jansson_parse_family(json_t *root, void *out) +int nft_jansson_parse_family(json_t *root, void *out, struct nft_parse_err *err) { const char *str; int family; - str = nft_jansson_parse_str(root, "family"); + str = nft_jansson_parse_str(root, "family", err); if (str == NULL) return -1; family = nft_str2family(str); if (family < 0) { + err->node_name = "family"; errno = EINVAL; return -1; } @@ -126,9 +160,10 @@ int nft_jansson_parse_family(json_t *root, void *out) return 0; } -int nft_jansson_parse_reg(json_t *root, const char *tag, int type, void *out) +int nft_jansson_parse_reg(json_t *root, const char *node_name, int type, + void *out, struct nft_parse_err *err) { - if (nft_jansson_parse_val(root, tag, type, out) < 0) + if (nft_jansson_parse_val(root, node_name, type, out, err) < 0) return -1; if (*((uint32_t *)out) > NFT_REG_MAX){ @@ -139,107 +174,102 @@ int nft_jansson_parse_reg(json_t *root, const char *tag, int type, void *out) return 0; } -int nft_jansson_str2num(json_t *root, const char *tag, int base, - void *out, enum nft_type type) +int nft_jansson_str2num(json_t *root, const char *node_name, int base, + void *out, enum nft_type type, struct nft_parse_err *err) { const char *str; - str = nft_jansson_parse_str(root, tag); + str = nft_jansson_parse_str(root, node_name, err); if (str == NULL) return -1; return nft_strtoi(str, base, out, type); } -struct nft_rule_expr *nft_jansson_expr_parse(json_t *root) +struct nft_rule_expr *nft_jansson_expr_parse(json_t *root, + struct nft_parse_err *err) { struct nft_rule_expr *e; const char *type; int ret; - type = nft_jansson_parse_str(root, "type"); + type = nft_jansson_parse_str(root, "type", err); if (type == NULL) return NULL; e = nft_rule_expr_alloc(type); - if (e == NULL) - return NULL;; + if (e == NULL) { + err->node_name = "type"; + return NULL; + } - ret = e->ops->json_parse(e, root); + ret = e->ops->json_parse(e, root, err); return ret < 0 ? NULL : e; } -int nft_jansson_data_reg_parse(json_t *root, const char *tag, - union nft_data_reg *data_reg) +int nft_jansson_data_reg_parse(json_t *root, const char *node_name, + union nft_data_reg *data_reg, + struct nft_parse_err *err) { json_t *data; - const char *type; int ret; - data = json_object_get(root, tag); + data = json_object_get(root, node_name); if (data == NULL) { + err->error = NFT_PARSE_EMISSINGNODE; + err->node_name = node_name; errno = EINVAL; return -1; } data = json_object_get(data, "data_reg"); if (data == NULL) { + err->error = NFT_PARSE_EMISSINGNODE; + err->node_name = "data_reg"; errno = EINVAL; return -1; } - ret = nft_data_reg_json_parse(data_reg, data); - - if (ret < 0) { + ret = nft_data_reg_json_parse(data_reg, data, err); + if (ret == DATA_NONE) { errno = EINVAL; return -1; } - type = nft_jansson_parse_str(data, "type"); - if (type == NULL) - return -1; - - if (strcmp(type, "value") == 0) - return DATA_VALUE; - else if (strcmp(type, "verdict") == 0) - return DATA_VERDICT; - else if (strcmp(type, "chain") == 0) - return DATA_CHAIN; - else { - errno = EINVAL; - return -1; - } + return ret; } -int nft_set_elem_json_parse(struct nft_set_elem *e, json_t *root) +int nft_jansson_set_elem_parse(struct nft_set_elem *e, json_t *root, + struct nft_parse_err *err) { uint32_t uval32; int set_elem_data; - if (nft_jansson_parse_val(root, "flags", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "flags", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_set_elem_attr_set_u32(e, NFT_SET_ELEM_ATTR_FLAGS, uval32); - if (nft_jansson_data_reg_parse(root, "key", &e->key) != DATA_VALUE) + if (nft_jansson_data_reg_parse(root, "key", &e->key, err) != DATA_VALUE) return -1; e->flags |= (1 << NFT_SET_ELEM_ATTR_KEY); if (nft_jansson_node_exist(root, "data")) { set_elem_data = nft_jansson_data_reg_parse(root, "data", - &e->data); + &e->data, err); switch (set_elem_data) { case DATA_VALUE: e->flags |= (1 << NFT_SET_ELEM_ATTR_DATA); break; case DATA_VERDICT: e->flags |= (1 << NFT_SET_ELEM_ATTR_VERDICT); + if (e->data.chain != NULL) + e->flags |= (1 << NFT_SET_ELEM_ATTR_CHAIN); + break; - case DATA_CHAIN: - e->flags |= (1 << NFT_SET_ELEM_ATTR_CHAIN); - break; + case DATA_NONE: default: return -1; } diff --git a/src/libnftables.map b/src/libnftnl.map index 7dc9aee..43378ed 100644 --- a/src/libnftables.map +++ b/src/libnftnl.map @@ -1,4 +1,4 @@ -LIBNFTABLES_1.0 { +LIBNFTNL_1.0 { global: nft_table_alloc; nft_table_free; @@ -13,6 +13,7 @@ global: nft_table_attr_get_u32; nft_table_attr_get_str; nft_table_parse; + nft_table_parse_file; nft_table_snprintf; nft_table_fprintf; nft_table_nlmsg_build_payload; @@ -45,6 +46,7 @@ global: nft_chain_attr_get_u64; nft_chain_attr_get_str; nft_chain_parse; + nft_chain_parse_file; nft_chain_snprintf; nft_chain_fprintf; nft_chain_nlmsg_build_payload; @@ -74,6 +76,7 @@ global: nft_rule_attr_get_u64; nft_rule_attr_get_str; nft_rule_parse; + nft_rule_parse_file; nft_rule_snprintf; nft_rule_fprintf; nft_rule_nlmsg_build_payload; @@ -128,6 +131,7 @@ global: nft_set_nlmsg_build_payload; nft_set_nlmsg_parse; nft_set_parse; + nft_set_parse_file; nft_set_snprintf; nft_set_fprintf; @@ -159,6 +163,7 @@ global: nft_set_elem_nlmsg_build_payload; nft_set_elem_nlmsg_parse; nft_set_elem_parse; + nft_set_elem_parse_file; nft_set_elem_snprintf; nft_set_elem_fprinf; @@ -179,10 +184,15 @@ global: nft_ruleset_attr_set; nft_ruleset_attr_get; nft_ruleset_parse; + nft_ruleset_parse_file; nft_ruleset_snprintf; nft_ruleset_fprintf; nft_nlmsg_build_hdr; + nft_parse_err_alloc; + nft_parse_err_free; + nft_parse_perror; + local: *; }; @@ -15,31 +15,50 @@ #include <limits.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/table.h> -#include <libnftables/chain.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> -#include <libnftables/set.h> +#include <libnftnl/table.h> +#include <libnftnl/chain.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> +#include <libnftnl/set.h> #ifdef XML_PARSING -mxml_node_t *nft_mxml_build_tree(const char *xml, const char *treename) +mxml_node_t *nft_mxml_build_tree(const void *data, const char *treename, + struct nft_parse_err *err, enum nft_parse_input input) { mxml_node_t *tree; - tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK); - if (tree == NULL) + switch (input) { + case NFT_PARSE_BUFFER: + tree = mxmlLoadString(NULL, data, MXML_OPAQUE_CALLBACK); + break; + case NFT_PARSE_FILE: + tree = mxmlLoadFile(NULL, (FILE *)data, MXML_OPAQUE_CALLBACK); + break; + default: goto err; + } + + if (tree == NULL) { + err->error = NFT_PARSE_EBADINPUT; + goto err; + } if (strcmp(tree->value.opaque, treename) == 0) return tree; + err->error = NFT_PARSE_EMISSINGNODE; + err->node_name = treename; + mxmlDelete(tree); err: + err->line = 0; + err->column = 0; errno = EINVAL; return NULL; } -struct nft_rule_expr *nft_mxml_expr_parse(mxml_node_t *node) +struct nft_rule_expr *nft_mxml_expr_parse(mxml_node_t *node, + struct nft_parse_err *err) { mxml_node_t *tree; struct nft_rule_expr *e; @@ -48,8 +67,11 @@ struct nft_rule_expr *nft_mxml_expr_parse(mxml_node_t *node) int ret; expr_name = mxmlElementGetAttr(node, "type"); - if (expr_name == NULL) + if (expr_name == NULL) { + err->node_name = "type"; + err->error = NFT_PARSE_EMISSINGNODE; goto err; + } e = nft_rule_expr_alloc(expr_name); if (e == NULL) @@ -65,7 +87,7 @@ struct nft_rule_expr *nft_mxml_expr_parse(mxml_node_t *node) if (tree == NULL) goto err_expr; - ret = e->ops->xml_parse(e, tree); + ret = e->ops->xml_parse(e, tree, err); mxmlDelete(tree); return ret < 0 ? NULL : e; @@ -77,94 +99,130 @@ err: return NULL; } -int nft_mxml_reg_parse(mxml_node_t *tree, const char *reg_name, uint32_t flags) +int nft_mxml_reg_parse(mxml_node_t *tree, const char *reg_name, uint32_t *reg, + uint32_t mxmlflags, uint32_t flags, + struct nft_parse_err *err) { mxml_node_t *node; - uint64_t val; - node = mxmlFindElement(tree, tree, reg_name, NULL, NULL, flags); + node = mxmlFindElement(tree, tree, reg_name, NULL, NULL, mxmlflags); if (node == NULL) { - errno = EINVAL; - goto err; + if (!(flags & NFT_XML_OPT)) { + err->error = NFT_PARSE_EMISSINGNODE; + errno = EINVAL; + goto err; + } + return -1; } - if (nft_strtoi(node->child->value.opaque, BASE_DEC, &val, - NFT_TYPE_U64) != 0) + if (nft_strtoi(node->child->value.opaque, BASE_DEC, reg, + NFT_TYPE_U32) != 0) { + err->error = NFT_PARSE_EBADTYPE; goto err; + } - if (val > NFT_REG_MAX) { + if (*reg > NFT_REG_MAX) { errno = ERANGE; goto err; } - return val; + + return 0; err: + err->node_name = reg_name; return -1; } int nft_mxml_data_reg_parse(mxml_node_t *tree, const char *node_name, - union nft_data_reg *data_reg, uint16_t flags) + union nft_data_reg *data_reg, uint16_t flags, + struct nft_parse_err *err) { mxml_node_t *node; node = mxmlFindElement(tree, tree, node_name, NULL, NULL, MXML_DESCEND_FIRST); if (node == NULL || node->child == NULL) { - if (!(flags & NFT_XML_OPT)) + if (!(flags & NFT_XML_OPT)) { + err->error = NFT_PARSE_EMISSINGNODE; + err->node_name = node_name; errno = EINVAL; + } return DATA_NONE; } - return nft_data_reg_xml_parse(data_reg, node); + return nft_data_reg_xml_parse(data_reg, node, err); } int nft_mxml_num_parse(mxml_node_t *tree, const char *node_name, uint32_t mxml_flags, int base, void *number, - enum nft_type type, uint16_t flags) + enum nft_type type, uint16_t flags, + struct nft_parse_err *err) { mxml_node_t *node = NULL; + int ret; node = mxmlFindElement(tree, tree, node_name, NULL, NULL, mxml_flags); if (node == NULL || node->child == NULL) { - if (!(flags & NFT_XML_OPT)) + if (!(flags & NFT_XML_OPT)) { errno = EINVAL; - + err->node_name = node_name; + err->error = NFT_PARSE_EMISSINGNODE; + } return -1; } - return nft_strtoi(node->child->value.opaque, base, number, type); + + ret = nft_strtoi(node->child->value.opaque, base, number, type); + + if (ret != 0) { + err->error = NFT_PARSE_EBADTYPE; + err->node_name = node_name; + } + return ret; } const char *nft_mxml_str_parse(mxml_node_t *tree, const char *node_name, - uint32_t mxml_flags, uint16_t flags) + uint32_t mxml_flags, uint16_t flags, + struct nft_parse_err *err) { mxml_node_t *node; + const char *ret; node = mxmlFindElement(tree, tree, node_name, NULL, NULL, mxml_flags); if (node == NULL || node->child == NULL) { - if (!(flags & NFT_XML_OPT)) + if (!(flags & NFT_XML_OPT)) { errno = EINVAL; - + err->node_name = node_name; + err->error = NFT_PARSE_EMISSINGNODE; + } return NULL; } - return node->child->value.opaque; + ret = node->child->value.opaque; + if (ret == NULL) { + err->node_name = node_name; + err->error = NFT_PARSE_EBADTYPE; + } + return ret; } int nft_mxml_family_parse(mxml_node_t *tree, const char *node_name, - uint32_t mxml_flags, uint16_t flags) + uint32_t mxml_flags, uint16_t flags, + struct nft_parse_err *err) { const char *family_str; int family; family_str = nft_mxml_str_parse(tree, node_name, mxml_flags, - flags); + flags, err); if (family_str == NULL) return -1; family = nft_str2family(family_str); - if (family < 0) + if (family < 0) { + err->node_name = node_name; errno = EAFNOSUPPORT; + } return family; } @@ -24,8 +24,8 @@ #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> #include "linux_list.h" #include "expr_ops.h" @@ -442,7 +442,8 @@ int nft_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_rule *r) EXPORT_SYMBOL(nft_rule_nlmsg_parse); #ifdef JSON_PARSING -int nft_jansson_parse_rule(struct nft_rule *r, json_t *tree) +int nft_jansson_parse_rule(struct nft_rule *r, json_t *tree, + struct nft_parse_err *err) { json_t *root, *array; struct nft_rule_expr *e; @@ -451,28 +452,29 @@ int nft_jansson_parse_rule(struct nft_rule *r, json_t *tree) uint32_t uval32; int i, family; - root = nft_jansson_get_node(tree, "rule"); + root = nft_jansson_get_node(tree, "rule", err); if (root == NULL) return -1; - if (nft_jansson_parse_family(root, &family) != 0) + if (nft_jansson_parse_family(root, &family, err) != 0) goto err; nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FAMILY, family); - str = nft_jansson_parse_str(root, "table"); + str = nft_jansson_parse_str(root, "table", err); if (str == NULL) goto err; nft_rule_attr_set_str(r, NFT_RULE_ATTR_TABLE, str); - str = nft_jansson_parse_str(root, "chain"); + str = nft_jansson_parse_str(root, "chain", err); if (str == NULL) goto err; nft_rule_attr_set_str(r, NFT_RULE_ATTR_CHAIN, str); - if (nft_jansson_parse_val(root, "handle", NFT_TYPE_U64, &uval64) < 0) + if (nft_jansson_parse_val(root, "handle", NFT_TYPE_U64, &uval64, + err) < 0) goto err; nft_rule_attr_set_u64(r, NFT_RULE_ATTR_HANDLE, uval64); @@ -480,13 +482,13 @@ int nft_jansson_parse_rule(struct nft_rule *r, json_t *tree) if (nft_jansson_node_exist(root, "compat_proto") || nft_jansson_node_exist(root, "compat_flags")) { if (nft_jansson_parse_val(root, "compat_proto", NFT_TYPE_U32, - &uval32) < 0) + &uval32, err) < 0) goto err; nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, uval32); if (nft_jansson_parse_val(root, "compat_flags", NFT_TYPE_U32, - &uval32) < 0) + &uval32, err) < 0) goto err; nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS, uval32); @@ -494,19 +496,22 @@ int nft_jansson_parse_rule(struct nft_rule *r, json_t *tree) if (nft_jansson_node_exist(root, "position")) { if (nft_jansson_parse_val(root, "position", NFT_TYPE_U64, - &uval64) < 0) + &uval64, err) < 0) goto err; nft_rule_attr_set_u64(r, NFT_RULE_ATTR_POSITION, uval64); } array = json_object_get(root, "expr"); - if (array == NULL) + if (array == NULL) { + err->error = NFT_PARSE_EMISSINGNODE; + err->node_name = "expr"; goto err; + } for (i = 0; i < json_array_size(array); ++i) { - e = nft_jansson_expr_parse(json_array_get(array, i)); + e = nft_jansson_expr_parse(json_array_get(array, i), err); if (e == NULL) goto err; @@ -521,17 +526,19 @@ err: } #endif -static int nft_rule_json_parse(struct nft_rule *r, const char *json) +static int nft_rule_json_parse(struct nft_rule *r, const void *json, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef JSON_PARSING json_t *tree; json_error_t error; - tree = nft_jansson_create_root(json, &error); + tree = nft_jansson_create_root(json, &error, err, input); if (tree == NULL) return -1; - return nft_jansson_parse_rule(r, tree); + return nft_jansson_parse_rule(r, tree, err); #else errno = EOPNOTSUPP; return -1; @@ -539,7 +546,8 @@ static int nft_rule_json_parse(struct nft_rule *r, const char *json) } #ifdef XML_PARSING -int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r) +int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r, + struct nft_parse_err *err) { mxml_node_t *node; struct nft_rule_expr *e; @@ -547,7 +555,7 @@ int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r) int family; family = nft_mxml_family_parse(tree, "family", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (family < 0) return -1; @@ -555,7 +563,7 @@ int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r) r->flags |= (1 << NFT_RULE_ATTR_FAMILY); table = nft_mxml_str_parse(tree, "table", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (table == NULL) return -1; @@ -566,7 +574,7 @@ int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r) r->flags |= (1 << NFT_RULE_ATTR_TABLE); chain = nft_mxml_str_parse(tree, "chain", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (chain == NULL) return -1; @@ -577,19 +585,19 @@ int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r) r->flags |= (1 << NFT_RULE_ATTR_CHAIN); if (nft_mxml_num_parse(tree, "handle", MXML_DESCEND_FIRST, BASE_DEC, - &r->handle, NFT_TYPE_U64, NFT_XML_MAND) != 0) + &r->handle, NFT_TYPE_U64, NFT_XML_MAND, err) != 0) return -1; r->flags |= (1 << NFT_RULE_ATTR_HANDLE); if (nft_mxml_num_parse(tree, "compat_proto", MXML_DESCEND_FIRST, BASE_DEC, &r->compat.proto, NFT_TYPE_U32, - NFT_XML_OPT) >= 0) + NFT_XML_OPT, err) >= 0) r->flags |= (1 << NFT_RULE_ATTR_COMPAT_PROTO); if (nft_mxml_num_parse(tree, "compat_flags", MXML_DESCEND_FIRST, BASE_DEC, &r->compat.flags, NFT_TYPE_U32, - NFT_XML_OPT) >= 0) + NFT_XML_OPT, err) >= 0) r->flags |= (1 << NFT_RULE_ATTR_COMPAT_FLAGS); if (nft_rule_attr_is_set(r, NFT_RULE_ATTR_COMPAT_PROTO) != @@ -600,7 +608,7 @@ int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r) if (nft_mxml_num_parse(tree, "position", MXML_DESCEND_FIRST, BASE_DEC, &r->position, NFT_TYPE_U64, - NFT_XML_OPT) >= 0) + NFT_XML_OPT, err) >= 0) r->flags |= (1 << NFT_RULE_ATTR_POSITION); /* Iterating over <expr> */ @@ -609,7 +617,7 @@ int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r) node != NULL; node = mxmlFindElement(node, tree, "expr", "type", NULL, MXML_DESCEND)) { - e = nft_mxml_expr_parse(node); + e = nft_mxml_expr_parse(node, err); if (e == NULL) return -1; @@ -620,15 +628,17 @@ int nft_mxml_rule_parse(mxml_node_t *tree, struct nft_rule *r) } #endif -static int nft_rule_xml_parse(struct nft_rule *r, const char *xml) +static int nft_rule_xml_parse(struct nft_rule *r, const void *xml, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef XML_PARSING int ret; - mxml_node_t *tree = nft_mxml_build_tree(xml, "rule"); + mxml_node_t *tree = nft_mxml_build_tree(xml, "rule", err, input); if (tree == NULL) return -1; - ret = nft_mxml_rule_parse(tree, r); + ret = nft_mxml_rule_parse(tree, r, err); mxmlDelete(tree); return ret; #else @@ -637,28 +647,44 @@ static int nft_rule_xml_parse(struct nft_rule *r, const char *xml) #endif } -int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, - const char *data) +static int nft_rule_do_parse(struct nft_rule *r, enum nft_parse_type type, + const void *data, struct nft_parse_err *err, + enum nft_parse_input input) { int ret; + struct nft_parse_err perr; switch (type) { case NFT_PARSE_XML: - ret = nft_rule_xml_parse(r, data); + ret = nft_rule_xml_parse(r, data, &perr, input); break; case NFT_PARSE_JSON: - ret = nft_rule_json_parse(r, data); + ret = nft_rule_json_parse(r, data, &perr, input); break; default: ret = -1; errno = EOPNOTSUPP; break; } + if (err != NULL) + *err = perr; return ret; } +int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, + const char *data, struct nft_parse_err *err) +{ + return nft_rule_do_parse(r, type, data, err, NFT_PARSE_BUFFER); +} EXPORT_SYMBOL(nft_rule_parse); +int nft_rule_parse_file(struct nft_rule *r, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err) +{ + return nft_rule_do_parse(r, type, fp, err, NFT_PARSE_FILE); +} +EXPORT_SYMBOL(nft_rule_parse_file); + static int nft_rule_snprintf_json(char *buf, size_t size, struct nft_rule *r, uint32_t type, uint32_t flags) { diff --git a/src/ruleset.c b/src/ruleset.c index f591382..3cbec09 100644 --- a/src/ruleset.c +++ b/src/ruleset.c @@ -17,11 +17,11 @@ #include <stdlib.h> #include <libmnl/libmnl.h> -#include <libnftables/ruleset.h> -#include <libnftables/table.h> -#include <libnftables/chain.h> -#include <libnftables/set.h> -#include <libnftables/rule.h> +#include <libnftnl/ruleset.h> +#include <libnftnl/table.h> +#include <libnftnl/chain.h> +#include <libnftnl/set.h> +#include <libnftnl/rule.h> struct nft_ruleset { struct nft_table_list *table_list; @@ -132,7 +132,8 @@ const void *nft_ruleset_attr_get(const struct nft_ruleset *r, uint16_t attr) EXPORT_SYMBOL(nft_ruleset_attr_get); #ifdef JSON_PARSING -static int nft_ruleset_json_parse_tables(struct nft_ruleset *rs, json_t *array) +static int nft_ruleset_json_parse_tables(struct nft_ruleset *rs, json_t *array, + struct nft_parse_err *err) { int i, len; json_t *node; @@ -161,7 +162,7 @@ static int nft_ruleset_json_parse_tables(struct nft_ruleset *rs, json_t *array) goto err; } - if (nft_jansson_parse_table(o, node) < 0) { + if (nft_jansson_parse_table(o, node, err) < 0) { nft_table_free(o); goto err; } @@ -180,7 +181,8 @@ err: return -1; } -static int nft_ruleset_json_parse_chains(struct nft_ruleset *rs, json_t *array) +static int nft_ruleset_json_parse_chains(struct nft_ruleset *rs, json_t *array, + struct nft_parse_err *err) { int i, len; json_t *node; @@ -209,7 +211,7 @@ static int nft_ruleset_json_parse_chains(struct nft_ruleset *rs, json_t *array) goto err; } - if (nft_jansson_parse_chain(o, node) < 0) { + if (nft_jansson_parse_chain(o, node, err) < 0) { nft_chain_free(o); goto err; } @@ -228,7 +230,8 @@ err: return -1; } -static int nft_ruleset_json_parse_sets(struct nft_ruleset *rs, json_t *array) +static int nft_ruleset_json_parse_sets(struct nft_ruleset *rs, json_t *array, + struct nft_parse_err *err) { int i, len; json_t *node; @@ -257,7 +260,7 @@ static int nft_ruleset_json_parse_sets(struct nft_ruleset *rs, json_t *array) goto err; } - if (nft_jansson_parse_set(s, node) < 0) { + if (nft_jansson_parse_set(s, node, err) < 0) { nft_set_free(s); goto err; } @@ -276,7 +279,8 @@ err: return -1; } -static int nft_ruleset_json_parse_rules(struct nft_ruleset *rs, json_t *array) +static int nft_ruleset_json_parse_rules(struct nft_ruleset *rs, json_t *array, + struct nft_parse_err *err) { int i, len; json_t *node; @@ -305,7 +309,7 @@ static int nft_ruleset_json_parse_rules(struct nft_ruleset *rs, json_t *array) goto err; } - if (nft_jansson_parse_rule(o, node) < 0) { + if (nft_jansson_parse_rule(o, node, err) < 0) { nft_rule_free(o); goto err; } @@ -326,13 +330,14 @@ err: #endif -static int nft_ruleset_json_parse(struct nft_ruleset *rs, const char *json) +static int nft_ruleset_json_parse(struct nft_ruleset *rs, const void *json, + struct nft_parse_err *err, enum nft_parse_input input) { #ifdef JSON_PARSING json_t *root, *array; json_error_t error; - root = nft_jansson_create_root(json, &error); + root = nft_jansson_create_root(json, &error, err, input); if (root == NULL) return -1; @@ -342,16 +347,16 @@ static int nft_ruleset_json_parse(struct nft_ruleset *rs, const char *json) goto err; } - if (nft_ruleset_json_parse_tables(rs, array) != 0) + if (nft_ruleset_json_parse_tables(rs, array, err) != 0) goto err; - if (nft_ruleset_json_parse_chains(rs, array) != 0) + if (nft_ruleset_json_parse_chains(rs, array, err) != 0) goto err; - if (nft_ruleset_json_parse_sets(rs, array) != 0) + if (nft_ruleset_json_parse_sets(rs, array, err) != 0) goto err; - if (nft_ruleset_json_parse_rules(rs, array) != 0) + if (nft_ruleset_json_parse_rules(rs, array, err) != 0) goto err; nft_jansson_free_root(root); @@ -367,7 +372,8 @@ err: #ifdef XML_PARSING static int -nft_ruleset_xml_parse_tables(struct nft_ruleset *rs, mxml_node_t *tree) +nft_ruleset_xml_parse_tables(struct nft_ruleset *rs, mxml_node_t *tree, + struct nft_parse_err *err) { mxml_node_t *node; struct nft_table *t; @@ -386,7 +392,7 @@ nft_ruleset_xml_parse_tables(struct nft_ruleset *rs, mxml_node_t *tree) if (t == NULL) goto err_free; - if (nft_mxml_table_parse(node, t) != 0) { + if (nft_mxml_table_parse(node, t, err) != 0) { nft_table_free(t); goto err_free; } @@ -407,7 +413,8 @@ err_free: } static int -nft_ruleset_xml_parse_chains(struct nft_ruleset *rs, mxml_node_t *tree) +nft_ruleset_xml_parse_chains(struct nft_ruleset *rs, mxml_node_t *tree, + struct nft_parse_err *err) { mxml_node_t *node; struct nft_chain *c; @@ -426,7 +433,7 @@ nft_ruleset_xml_parse_chains(struct nft_ruleset *rs, mxml_node_t *tree) if (c == NULL) goto err_free; - if (nft_mxml_chain_parse(node, c) != 0) { + if (nft_mxml_chain_parse(node, c, err) != 0) { nft_chain_free(c); goto err_free; } @@ -447,7 +454,8 @@ err_free: } static int -nft_ruleset_xml_parse_sets(struct nft_ruleset *rs, mxml_node_t *tree) +nft_ruleset_xml_parse_sets(struct nft_ruleset *rs, mxml_node_t *tree, + struct nft_parse_err *err) { mxml_node_t *node; struct nft_set *s; @@ -466,7 +474,7 @@ nft_ruleset_xml_parse_sets(struct nft_ruleset *rs, mxml_node_t *tree) if (s == NULL) goto err_free; - if (nft_mxml_set_parse(node, s) != 0) { + if (nft_mxml_set_parse(node, s, err) != 0) { nft_set_free(s); goto err_free; } @@ -486,7 +494,8 @@ err_free: } static int -nft_ruleset_xml_parse_rules(struct nft_ruleset *rs, mxml_node_t *tree) +nft_ruleset_xml_parse_rules(struct nft_ruleset *rs, mxml_node_t *tree, + struct nft_parse_err *err) { mxml_node_t *node; struct nft_rule *r; @@ -505,7 +514,7 @@ nft_ruleset_xml_parse_rules(struct nft_ruleset *rs, mxml_node_t *tree) if (r == NULL) goto err_free; - if (nft_mxml_rule_parse(node, r) != 0) { + if (nft_mxml_rule_parse(node, r, err) != 0) { nft_rule_free(r); goto err_free; } @@ -525,25 +534,26 @@ err_free: } #endif -static int nft_ruleset_xml_parse(struct nft_ruleset *rs, const char *xml) +static int nft_ruleset_xml_parse(struct nft_ruleset *rs, const void *xml, + struct nft_parse_err *err, enum nft_parse_input input) { #ifdef XML_PARSING mxml_node_t *tree; - tree = nft_mxml_build_tree(xml, "nftables"); + tree = nft_mxml_build_tree(xml, "nftables", err, input); if (tree == NULL) return -1; - if (nft_ruleset_xml_parse_tables(rs, tree) != 0) + if (nft_ruleset_xml_parse_tables(rs, tree, err) != 0) goto err; - if (nft_ruleset_xml_parse_chains(rs, tree) != 0) + if (nft_ruleset_xml_parse_chains(rs, tree, err) != 0) goto err; - if (nft_ruleset_xml_parse_sets(rs, tree) != 0) + if (nft_ruleset_xml_parse_sets(rs, tree, err) != 0) goto err; - if (nft_ruleset_xml_parse_rules(rs, tree) != 0) + if (nft_ruleset_xml_parse_rules(rs, tree, err) != 0) goto err; mxmlDelete(tree); @@ -557,17 +567,19 @@ err: #endif } -int nft_ruleset_parse(struct nft_ruleset *r, enum nft_parse_type type, - const char *data) +static int +nft_ruleset_do_parse(struct nft_ruleset *r, enum nft_parse_type type, + const void *data, struct nft_parse_err *err, + enum nft_parse_input input) { int ret; switch (type) { case NFT_PARSE_XML: - ret = nft_ruleset_xml_parse(r, data); + ret = nft_ruleset_xml_parse(r, data, err, input); break; case NFT_PARSE_JSON: - ret = nft_ruleset_json_parse(r, data); + ret = nft_ruleset_json_parse(r, data, err, input); break; default: ret = -1; @@ -577,8 +589,21 @@ int nft_ruleset_parse(struct nft_ruleset *r, enum nft_parse_type type, return ret; } + +int nft_ruleset_parse(struct nft_ruleset *r, enum nft_parse_type type, + const char *data, struct nft_parse_err *err) +{ + return nft_ruleset_do_parse(r, type, data, err, NFT_PARSE_BUFFER); +} EXPORT_SYMBOL(nft_ruleset_parse); +int nft_ruleset_parse_file(struct nft_ruleset *rs, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err) +{ + return nft_ruleset_do_parse(rs, type, fp, err, NFT_PARSE_FILE); +} +EXPORT_SYMBOL(nft_ruleset_parse_file); + static const char *nft_ruleset_o_opentag(uint32_t type) { switch (type) { @@ -23,7 +23,7 @@ #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/set.h> +#include <libnftnl/set.h> #include "linux_list.h" #include "expr/data_reg.h" @@ -283,7 +283,8 @@ int nft_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s) EXPORT_SYMBOL(nft_set_nlmsg_parse); #ifdef JSON_PARSING -int nft_jansson_parse_set(struct nft_set *s, json_t *tree) +int nft_jansson_parse_set(struct nft_set *s, json_t *tree, + struct nft_parse_err *err) { json_t *root, *array, *json_elem; uint32_t uval32; @@ -291,45 +292,47 @@ int nft_jansson_parse_set(struct nft_set *s, json_t *tree) const char *valstr; struct nft_set_elem *elem; - root = nft_jansson_get_node(tree, "set"); + root = nft_jansson_get_node(tree, "set", err); if (root == NULL) return -1; - valstr = nft_jansson_parse_str(root, "name"); + valstr = nft_jansson_parse_str(root, "name", err); if (valstr == NULL) return -1; nft_set_attr_set_str(s, NFT_SET_ATTR_NAME, valstr); - valstr = nft_jansson_parse_str(root, "table"); + valstr = nft_jansson_parse_str(root, "table", err); if (valstr == NULL) return -1; nft_set_attr_set_str(s, NFT_SET_ATTR_TABLE, valstr); - if (nft_jansson_parse_val(root, "flags", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "flags", NFT_TYPE_U32, &uval32, err) < 0) return -1; nft_set_attr_set_u32(s, NFT_SET_ATTR_FLAGS, uval32); - if (nft_jansson_parse_family(root, &family) < 0) + if (nft_jansson_parse_family(root, &family, err) < 0) return -1; nft_set_attr_set_u32(s, NFT_SET_ATTR_FAMILY, family); - if (nft_jansson_parse_val(root, "key_type", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "key_type", NFT_TYPE_U32, &uval32, + err) < 0) return -1; nft_set_attr_set_u32(s, NFT_SET_ATTR_KEY_TYPE, uval32); - if (nft_jansson_parse_val(root, "key_len", NFT_TYPE_U32, &uval32) < 0) + if (nft_jansson_parse_val(root, "key_len", NFT_TYPE_U32, &uval32, + err) < 0) return -1; nft_set_attr_set_u32(s, NFT_SET_ATTR_KEY_LEN, uval32); if (nft_jansson_node_exist(root, "data_type")) { if (nft_jansson_parse_val(root, "data_type", NFT_TYPE_U32, - &uval32) < 0) + &uval32, err) < 0) goto err; nft_set_attr_set_u32(s, NFT_SET_ATTR_DATA_TYPE, uval32); @@ -337,7 +340,7 @@ int nft_jansson_parse_set(struct nft_set *s, json_t *tree) if (nft_jansson_node_exist(root, "data_len")) { if (nft_jansson_parse_val(root, "data_len", NFT_TYPE_U32, - &uval32) < 0) + &uval32, err) < 0) goto err; nft_set_attr_set_u32(s, NFT_SET_ATTR_DATA_LEN, uval32); @@ -354,7 +357,8 @@ int nft_jansson_parse_set(struct nft_set *s, json_t *tree) if (json_elem == NULL) goto err; - if (nft_set_elem_json_parse(elem, json_elem) < 0) + if (nft_jansson_set_elem_parse(elem, + json_elem, err) < 0) goto err; list_add_tail(&elem->head, &s->element_list); @@ -371,17 +375,19 @@ err: } #endif -static int nft_set_json_parse(struct nft_set *s, const char *json) +static int nft_set_json_parse(struct nft_set *s, const void *json, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef JSON_PARSING json_t *tree; json_error_t error; - tree = nft_jansson_create_root(json, &error); + tree = nft_jansson_create_root(json, &error, err, input); if (tree == NULL) return -1; - return nft_jansson_parse_set(s, tree); + return nft_jansson_parse_set(s, tree, err); #else errno = EOPNOTSUPP; return -1; @@ -389,7 +395,8 @@ static int nft_set_json_parse(struct nft_set *s, const char *json) } #ifdef XML_PARSING -int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s) +int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s, + struct nft_parse_err *err) { mxml_node_t *node = NULL; struct nft_set_elem *elem; @@ -397,7 +404,7 @@ int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s) int family; name = nft_mxml_str_parse(tree, "name", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (name == NULL) return -1; @@ -408,7 +415,7 @@ int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s) s->flags |= (1 << NFT_SET_ATTR_NAME); table = nft_mxml_str_parse(tree, "table", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (table == NULL) return -1; @@ -419,7 +426,7 @@ int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s) s->flags |= (1 << NFT_SET_ATTR_TABLE); family = nft_mxml_family_parse(tree, "family", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (family < 0) return -1; @@ -428,34 +435,35 @@ int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s) s->flags |= (1 << NFT_SET_ATTR_FAMILY); if (nft_mxml_num_parse(tree, "flags", MXML_DESCEND_FIRST, BASE_DEC, - &s->set_flags, NFT_TYPE_U32, NFT_XML_MAND) != 0) + &s->set_flags, NFT_TYPE_U32, NFT_XML_MAND, err) != 0) return -1; s->flags |= (1 << NFT_SET_ATTR_FLAGS); if (nft_mxml_num_parse(tree, "key_type", MXML_DESCEND_FIRST, BASE_DEC, - &s->key_type, NFT_TYPE_U32, NFT_XML_MAND) != 0) + &s->key_type, NFT_TYPE_U32, NFT_XML_MAND, err) != 0) return -1; s->flags |= (1 << NFT_SET_ATTR_KEY_TYPE); if (nft_mxml_num_parse(tree, "key_len", MXML_DESCEND_FIRST, BASE_DEC, - &s->key_len, NFT_TYPE_U32, NFT_XML_MAND) != 0) + &s->key_len, NFT_TYPE_U32, NFT_XML_MAND, err) != 0) return -1; s->flags |= (1 << NFT_SET_ATTR_KEY_LEN); if (nft_mxml_num_parse(tree, "data_type", MXML_DESCEND_FIRST, BASE_DEC, - &s->data_type, NFT_TYPE_U32, NFT_XML_MAND) != 0) - return -1; - - s->flags |= (1 << NFT_SET_ATTR_DATA_TYPE); + &s->data_type, NFT_TYPE_U32, + NFT_XML_OPT, err) == 0) { + s->flags |= (1 << NFT_SET_ATTR_DATA_TYPE); - if (nft_mxml_num_parse(tree, "data_len", MXML_DESCEND_FIRST, BASE_DEC, - &s->data_len, NFT_TYPE_U32, NFT_XML_MAND) != 0) - return -1; + if (nft_mxml_num_parse(tree, "data_len", MXML_DESCEND_FIRST, + BASE_DEC, &s->data_len, NFT_TYPE_U32, + NFT_XML_MAND, err) != 0) + return -1; - s->flags |= (1 << NFT_SET_ATTR_DATA_LEN); + s->flags |= (1 << NFT_SET_ATTR_DATA_LEN); + } for (node = mxmlFindElement(tree, tree, "set_elem", NULL, NULL, MXML_DESCEND); @@ -467,7 +475,7 @@ int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s) if (elem == NULL) return -1; - if (nft_mxml_set_elem_parse(node, elem) < 0) + if (nft_mxml_set_elem_parse(node, elem, err) < 0) return -1; list_add_tail(&elem->head, &s->element_list); @@ -477,15 +485,17 @@ int nft_mxml_set_parse(mxml_node_t *tree, struct nft_set *s) } #endif -static int nft_set_xml_parse(struct nft_set *s, const char *xml) +static int nft_set_xml_parse(struct nft_set *s, const void *xml, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef XML_PARSING int ret; - mxml_node_t *tree = nft_mxml_build_tree(xml, "set"); + mxml_node_t *tree = nft_mxml_build_tree(xml, "set", err, input); if (tree == NULL) return -1; - ret = nft_mxml_set_parse(tree, s); + ret = nft_mxml_set_parse(tree, s, err); mxmlDelete(tree); return ret; #else @@ -494,17 +504,19 @@ static int nft_set_xml_parse(struct nft_set *s, const char *xml) #endif } -int nft_set_parse(struct nft_set *s, enum nft_parse_type type, - const char *data) +static int nft_set_do_parse(struct nft_set *s, enum nft_parse_type type, + const void *data, struct nft_parse_err *err, + enum nft_parse_input input) { int ret; + struct nft_parse_err perr; switch (type) { case NFT_PARSE_XML: - ret = nft_set_xml_parse(s, data); + ret = nft_set_xml_parse(s, data, &perr, input); break; case NFT_PARSE_JSON: - ret = nft_set_json_parse(s, data); + ret = nft_set_json_parse(s, data, &perr, input); break; default: ret = -1; @@ -512,10 +524,25 @@ int nft_set_parse(struct nft_set *s, enum nft_parse_type type, break; } + if (err != NULL) + *err = perr; + return ret; } +int nft_set_parse(struct nft_set *s, enum nft_parse_type type, + const char *data, struct nft_parse_err *err) +{ + return nft_set_do_parse(s, type, data, err, NFT_PARSE_BUFFER); +} EXPORT_SYMBOL(nft_set_parse); +int nft_set_parse_file(struct nft_set *s, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err) +{ + return nft_set_do_parse(s, type, fp, err, NFT_PARSE_FILE); +} +EXPORT_SYMBOL(nft_set_parse_file); + static int nft_set_snprintf_json(char *buf, size_t size, struct nft_set *s, uint32_t type, uint32_t flags) { @@ -608,14 +635,20 @@ static int nft_set_snprintf_xml(char *buf, size_t size, struct nft_set *s, "<name>%s</name>" "<flags>%u</flags>" "<key_type>%u</key_type>" - "<key_len>%u</key_len>" - "<data_type>%u</data_type>" - "<data_len>%u</data_len>", + "<key_len>%u</key_len>", nft_family2str(s->family), s->table, s->name, - s->set_flags, s->key_type, - s->key_len, s->data_type, s->data_len); + s->set_flags, s->key_type, s->key_len); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + if (s->flags & (1 << NFT_SET_ATTR_DATA_TYPE) && + s->flags & (1 << NFT_SET_ATTR_DATA_LEN)) { + ret = snprintf(buf+offset, len, "<data_type>%u</data_type>" + "<data_len>%u</data_len>", + s->data_type, s->data_len); + + SNPRINTF_BUFFER_SIZE(ret, size, len, offset); + } + if (!list_empty(&s->element_list)) { list_for_each_entry(elem, &s->element_list, head) { ret = nft_set_elem_snprintf(buf+offset, len, elem, diff --git a/src/set_elem.c b/src/set_elem.c index fce9c1d..79fc641 100644 --- a/src/set_elem.c +++ b/src/set_elem.c @@ -22,8 +22,8 @@ #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/set.h> -#include <libnftables/rule.h> +#include <libnftnl/set.h> +#include <libnftnl/rule.h> #include "linux_list.h" #include "expr/data_reg.h" @@ -357,35 +357,36 @@ int nft_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s) EXPORT_SYMBOL(nft_set_elems_nlmsg_parse); #ifdef XML_PARSING -int nft_mxml_set_elem_parse(mxml_node_t *tree, struct nft_set_elem *e) +int nft_mxml_set_elem_parse(mxml_node_t *tree, struct nft_set_elem *e, + struct nft_parse_err *err) { int set_elem_data; if (nft_mxml_num_parse(tree, "flags", MXML_DESCEND_FIRST, BASE_DEC, &e->set_elem_flags, - NFT_TYPE_U32, NFT_XML_MAND) != 0) + NFT_TYPE_U32, NFT_XML_MAND, err) != 0) return -1; e->flags |= (1 << NFT_SET_ELEM_ATTR_FLAGS); if (nft_mxml_data_reg_parse(tree, "key", &e->key, - NFT_XML_MAND) != DATA_VALUE) + NFT_XML_MAND, err) != DATA_VALUE) return -1; e->flags |= (1 << NFT_SET_ELEM_ATTR_KEY); /* <set_elem_data> is not mandatory */ set_elem_data = nft_mxml_data_reg_parse(tree, "data", - &e->data, NFT_XML_OPT); + &e->data, NFT_XML_OPT, err); switch (set_elem_data) { case DATA_VALUE: e->flags |= (1 << NFT_SET_ELEM_ATTR_DATA); break; case DATA_VERDICT: e->flags |= (1 << NFT_SET_ELEM_ATTR_VERDICT); - break; - case DATA_CHAIN: - e->flags |= (1 << NFT_SET_ELEM_ATTR_CHAIN); + if (e->data.chain != NULL) + e->flags |= (1 << NFT_SET_ELEM_ATTR_CHAIN); + break; } @@ -393,17 +394,19 @@ int nft_mxml_set_elem_parse(mxml_node_t *tree, struct nft_set_elem *e) } #endif -static int nft_set_elem_xml_parse(struct nft_set_elem *e, const char *xml) +static int nft_set_elem_xml_parse(struct nft_set_elem *e, const void *xml, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef XML_PARSING mxml_node_t *tree; int ret; - tree = nft_mxml_build_tree(xml, "set_elem"); + tree = nft_mxml_build_tree(xml, "set_elem", err, input); if (tree == NULL) return -1; - ret = nft_mxml_set_elem_parse(tree, e); + ret = nft_mxml_set_elem_parse(tree, e, err); mxmlDelete(tree); return ret; #else @@ -412,13 +415,38 @@ static int nft_set_elem_xml_parse(struct nft_set_elem *e, const char *xml) #endif } -int nft_set_elem_parse(struct nft_set_elem *e, - enum nft_parse_type type, const char *data) { +static int nft_set_elem_json_parse(struct nft_set_elem *e, const void *json, + struct nft_parse_err *err, + enum nft_parse_input input) +{ +#ifdef JSON_PARSING + json_t *tree; + json_error_t error; + + tree = nft_jansson_create_root(json, &error, err, input); + if (tree == NULL) + return -1; + + return nft_jansson_set_elem_parse(e, tree, err); +#else + errno = EOPNOTSUPP; + return -1; +#endif +} + +static int +nft_set_elem_do_parse(struct nft_set_elem *e, enum nft_parse_type type, + const void *data, struct nft_parse_err *err, + enum nft_parse_input input) +{ int ret; switch (type) { case NFT_PARSE_XML: - ret = nft_set_elem_xml_parse(e, data); + ret = nft_set_elem_xml_parse(e, data, err, input); + break; + case NFT_PARSE_JSON: + ret = nft_set_elem_json_parse(e, data, err, input); break; default: errno = EOPNOTSUPP; @@ -428,8 +456,20 @@ int nft_set_elem_parse(struct nft_set_elem *e, return ret; } +int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, + const char *data, struct nft_parse_err *err) +{ + return nft_set_elem_do_parse(e, type, data, err, NFT_PARSE_BUFFER); +} EXPORT_SYMBOL(nft_set_elem_parse); +int nft_set_elem_parse_file(struct nft_set_elem *e, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err) +{ + return nft_set_elem_do_parse(e, type, fp, err, NFT_PARSE_FILE); +} +EXPORT_SYMBOL(nft_set_elem_parse_file); + static int nft_set_elem_snprintf_json(char *buf, size_t size, struct nft_set_elem *e, uint32_t flags) { diff --git a/src/table.c b/src/table.c index ba84264..c834a4e 100644 --- a/src/table.c +++ b/src/table.c @@ -23,7 +23,7 @@ #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/table.h> +#include <libnftnl/table.h> struct nft_table { struct list_head head; @@ -230,13 +230,14 @@ int nft_table_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_table *t) EXPORT_SYMBOL(nft_table_nlmsg_parse); #ifdef XML_PARSING -int nft_mxml_table_parse(mxml_node_t *tree, struct nft_table *t) +int nft_mxml_table_parse(mxml_node_t *tree, struct nft_table *t, + struct nft_parse_err *err) { const char *name; int family; name = nft_mxml_str_parse(tree, "name", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (name == NULL) return -1; @@ -247,7 +248,7 @@ int nft_mxml_table_parse(mxml_node_t *tree, struct nft_table *t) t->flags |= (1 << NFT_TABLE_ATTR_NAME); family = nft_mxml_family_parse(tree, "family", MXML_DESCEND_FIRST, - NFT_XML_MAND); + NFT_XML_MAND, err); if (family < 0) return -1; @@ -256,7 +257,7 @@ int nft_mxml_table_parse(mxml_node_t *tree, struct nft_table *t) if (nft_mxml_num_parse(tree, "flags", MXML_DESCEND, BASE_DEC, &t->table_flags, NFT_TYPE_U32, - NFT_XML_MAND) != 0) + NFT_XML_MAND, err) != 0) return -1; t->flags |= (1 << NFT_TABLE_ATTR_FLAGS); @@ -265,15 +266,17 @@ int nft_mxml_table_parse(mxml_node_t *tree, struct nft_table *t) } #endif -static int nft_table_xml_parse(struct nft_table *t, const char *xml) +static int nft_table_xml_parse(struct nft_table *t, const void *data, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef XML_PARSING int ret; - mxml_node_t *tree = nft_mxml_build_tree(xml, "table"); + mxml_node_t *tree = nft_mxml_build_tree(data, "table", err, input); if (tree == NULL) return -1; - ret = nft_mxml_table_parse(tree, t); + ret = nft_mxml_table_parse(tree, t, err); mxmlDelete(tree); return ret; #else @@ -283,29 +286,30 @@ static int nft_table_xml_parse(struct nft_table *t, const char *xml) } #ifdef JSON_PARSING -int nft_jansson_parse_table(struct nft_table *t, json_t *tree) +int nft_jansson_parse_table(struct nft_table *t, json_t *tree, + struct nft_parse_err *err) { json_t *root; uint32_t flags; const char *str; int family; - root = nft_jansson_get_node(tree, "table"); + root = nft_jansson_get_node(tree, "table", err); if (root == NULL) return -1; - str = nft_jansson_parse_str(root, "name"); + str = nft_jansson_parse_str(root, "name", err); if (str == NULL) goto err; nft_table_attr_set_str(t, NFT_TABLE_ATTR_NAME, str); - if (nft_jansson_parse_family(root, &family) != 0) + if (nft_jansson_parse_family(root, &family, err) != 0) goto err; nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FAMILY, family); - if (nft_jansson_parse_val(root, "flags", NFT_TYPE_U32, &flags) < 0) + if (nft_jansson_parse_val(root, "flags", NFT_TYPE_U32, &flags, err) < 0) goto err; nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FLAGS, flags); @@ -318,34 +322,38 @@ err: } #endif -static int nft_table_json_parse(struct nft_table *t, const char *json) +static int nft_table_json_parse(struct nft_table *t, const void *json, + struct nft_parse_err *err, + enum nft_parse_input input) { #ifdef JSON_PARSING json_t *tree; json_error_t error; - tree = nft_jansson_create_root(json, &error); + tree = nft_jansson_create_root(json, &error, err, input); if (tree == NULL) return -1; - return nft_jansson_parse_table(t, tree); + return nft_jansson_parse_table(t, tree, err); #else errno = EOPNOTSUPP; return -1; #endif } -int nft_table_parse(struct nft_table *t, enum nft_parse_type type, - const char *data) +static int nft_table_do_parse(struct nft_table *t, enum nft_parse_type type, + const void *data, struct nft_parse_err *err, + enum nft_parse_input input) { int ret; + struct nft_parse_err perr; switch (type) { case NFT_PARSE_XML: - ret = nft_table_xml_parse(t, data); + ret = nft_table_xml_parse(t, data, &perr, input); break; case NFT_PARSE_JSON: - ret = nft_table_json_parse(t, data); + ret = nft_table_json_parse(t, data, &perr, input); break; default: ret = -1; @@ -353,10 +361,26 @@ int nft_table_parse(struct nft_table *t, enum nft_parse_type type, break; } + if (err != NULL) + *err = perr; + return ret; } + +int nft_table_parse(struct nft_table *t, enum nft_parse_type type, + const char *data, struct nft_parse_err *err) +{ + return nft_table_do_parse(t, type, data, err, NFT_PARSE_BUFFER); +} EXPORT_SYMBOL(nft_table_parse); +int nft_table_parse_file(struct nft_table *t, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err) +{ + return nft_table_do_parse(t, type, fp, err, NFT_PARSE_FILE); +} +EXPORT_SYMBOL(nft_table_parse_file); + static int nft_table_snprintf_json(char *buf, size_t size, struct nft_table *t) { return snprintf(buf, size, diff --git a/src/utils.c b/src/utils.c index 6fd8e03..9691c4c 100644 --- a/src/utils.c +++ b/src/utils.c @@ -158,18 +158,24 @@ const char *nft_verdict2str(uint32_t verdict) } } -int nft_str2verdict(const char *verdict) +int nft_str2verdict(const char *verdict, int *verdict_num) { - if (strcmp(verdict, "accept") == 0) - return NF_ACCEPT; - else if (strcmp(verdict, "drop") == 0) - return NF_DROP; - else if (strcmp(verdict, "return") == 0) - return NFT_RETURN; - else if (strcmp(verdict, "jump") == 0) - return NFT_JUMP; - else if (strcmp(verdict, "goto") == 0) - return NFT_GOTO; + if (strcmp(verdict, "accept") == 0) { + *verdict_num = NF_ACCEPT; + return 0; + } else if (strcmp(verdict, "drop") == 0) { + *verdict_num = NF_DROP; + return 0; + } else if (strcmp(verdict, "return") == 0) { + *verdict_num = NFT_RETURN; + return 0; + } else if (strcmp(verdict, "jump") == 0) { + *verdict_num = NFT_JUMP; + return 0; + } else if (strcmp(verdict, "goto") == 0) { + *verdict_num = NFT_GOTO; + return 0; + } return -1; } diff --git a/tests/Makefile.am b/tests/Makefile.am index 576bf73..d5df071 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -24,67 +24,67 @@ check_PROGRAMS = nft-parsing-test \ nft-expr_target-test nft_parsing_test_SOURCES = nft-parsing-test.c -nft_parsing_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS} +nft_parsing_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS} nft_table_test_SOURCES = nft-table-test.c -nft_table_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_chain_test_SOURCES = nft-chain-test.c -nft_chain_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_chain_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_rule_test_SOURCES = nft-rule-test.c -nft_rule_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_set_test_SOURCES = nft-set-test.c -nft_set_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_bitwise_test_SOURCES = nft-expr_bitwise-test.c -nft_expr_bitwise_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_bitwise_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_byteorder_test_SOURCES = nft-expr_byteorder-test.c -nft_expr_byteorder_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_byteorder_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_cmp_test_SOURCES = nft-expr_cmp-test.c -nft_expr_cmp_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_cmp_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_counter_test_SOURCES = nft-expr_counter-test.c -nft_expr_counter_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_counter_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_exthdr_test_SOURCES = nft-expr_exthdr-test.c -nft_expr_exthdr_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_exthdr_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_ct_test_SOURCES = nft-expr_ct-test.c -nft_expr_ct_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_ct_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_immediate_test_SOURCES = nft-expr_counter-test.c -nft_expr_immediate_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_immediate_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_limit_test_SOURCES = nft-expr_limit-test.c -nft_expr_limit_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_limit_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_lookup_test_SOURCES = nft-expr_limit-test.c -nft_expr_lookup_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_lookup_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_log_test_SOURCES = nft-expr_log-test.c -nft_expr_log_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_log_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_match_test_SOURCES = nft-expr_match-test.c -nft_expr_match_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_match_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_meta_test_SOURCES = nft-expr_meta-test.c -nft_expr_meta_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_meta_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_nat_test_SOURCES = nft-expr_nat-test.c -nft_expr_nat_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_nat_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_payload_test_SOURCES = nft-expr_payload-test.c -nft_expr_payload_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_payload_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_queue_test_SOURCES = nft-expr_queue-test.c -nft_expr_queue_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_queue_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_reject_test_SOURCES = nft-expr_reject-test.c -nft_expr_reject_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_reject_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} nft_expr_target_test_SOURCES = nft-expr_target-test.c -nft_expr_target_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_expr_target_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} diff --git a/tests/jsonfiles/01-table.json b/tests/jsonfiles/01-table.json index f217189..9be7b40 100644 --- a/tests/jsonfiles/01-table.json +++ b/tests/jsonfiles/01-table.json @@ -1 +1 @@ -{"table":{"name":"filter","family":"ip","flags":0,"use":0}} +{"nftables":[{"table":{"name":"filter","family":"ip","flags":0,"use":0}}]} diff --git a/tests/jsonfiles/02-table.json b/tests/jsonfiles/02-table.json index c23e7b0..4ff5674 100644 --- a/tests/jsonfiles/02-table.json +++ b/tests/jsonfiles/02-table.json @@ -1 +1 @@ -{"table":{"name":"filter2","family":"ip6","flags":0,"use":0}} +{"nftables":[{"table":{"name":"filter2","family":"ip6","flags":0,"use":0}}]} diff --git a/tests/jsonfiles/11-chain.json b/tests/jsonfiles/11-chain.json index e1ed07f..2610b79 100644 --- a/tests/jsonfiles/11-chain.json +++ b/tests/jsonfiles/11-chain.json @@ -1 +1 @@ -{"chain":{"name":"input","handle":1,"bytes":1375696,"packets":4136,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"input","prio":0,"policy":"accept"}} +{"nftables":[{"chain":{"name":"input","handle":1,"bytes":1375696,"packets":4136,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"input","prio":0,"policy":"accept"}}]} diff --git a/tests/jsonfiles/12-chain.json b/tests/jsonfiles/12-chain.json index b3fa541..3d15982 100644 --- a/tests/jsonfiles/12-chain.json +++ b/tests/jsonfiles/12-chain.json @@ -1 +1 @@ -{"chain":{"name":"forward","handle":2,"bytes":0,"packets":0,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"forward","prio":0,"policy":"accept"}} +{"nftables":[{"chain":{"name":"forward","handle":2,"bytes":0,"packets":0,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"forward","prio":0,"policy":"accept"}}]} diff --git a/tests/jsonfiles/13-chain.json b/tests/jsonfiles/13-chain.json index 6d8230d..e3a17f0 100644 --- a/tests/jsonfiles/13-chain.json +++ b/tests/jsonfiles/13-chain.json @@ -1 +1 @@ -{"chain":{"name":"output","handle":3,"bytes":454786,"packets":2681,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"output","prio":0,"policy":"accept"}} +{"nftables":[{"chain":{"name":"output","handle":3,"bytes":454786,"packets":2681,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"output","prio":0,"policy":"accept"}}]} diff --git a/tests/jsonfiles/14-chain.json b/tests/jsonfiles/14-chain.json index 44bc106..d98dc94 100644 --- a/tests/jsonfiles/14-chain.json +++ b/tests/jsonfiles/14-chain.json @@ -1 +1 @@ -{"chain":{"name":"chain1","handle":4,"bytes":0,"packets":0,"family":"ip","table":"filter","use":0}} +{"nftables":[{"chain":{"name":"chain1","handle":4,"bytes":0,"packets":0,"family":"ip","table":"filter","use":0}}]} diff --git a/tests/jsonfiles/20-rule-bitwise.json b/tests/jsonfiles/20-rule-bitwise.json index 511ad88..de3d9ec 100644 --- a/tests/jsonfiles/20-rule-bitwise.json +++ b/tests/jsonfiles/20-rule-bitwise.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":20,"expr":[{"type":"bitwise","sreg":1,"dreg":1,"len":4,"mask":{"data_reg":{"type":"value","len":4,"data0":"0x0000000a"}},"xor":{"data_reg":{"type":"value","len":4,"data0":"0x00000000"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":20,"expr":[{"type":"bitwise","sreg":1,"dreg":1,"len":4,"mask":{"data_reg":{"type":"value","len":4,"data0":"0x0000000a"}},"xor":{"data_reg":{"type":"value","len":4,"data0":"0x00000000"}}}]}}]} diff --git a/tests/jsonfiles/21-rule-byteorder.json b/tests/jsonfiles/21-rule-byteorder.json index 9c5498e..ae6fb32 100644 --- a/tests/jsonfiles/21-rule-byteorder.json +++ b/tests/jsonfiles/21-rule-byteorder.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":21,"expr":[{"type":"byteorder","sreg":3,"dreg":4,"op":"hton","len":4,"size":4}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":21,"expr":[{"type":"byteorder","sreg":3,"dreg":4,"op":"hton","len":4,"size":4}]}}]} diff --git a/tests/jsonfiles/22-rule-cmp.json b/tests/jsonfiles/22-rule-cmp.json index ad1c71a..c32d7ad 100644 --- a/tests/jsonfiles/22-rule-cmp.json +++ b/tests/jsonfiles/22-rule-cmp.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"forward","handle":22,"expr":[{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":16,"data0":"0x00000000","data1":"0x6e6f6200","data2":"0x2e303164","data3":"0x00393331"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"forward","handle":22,"expr":[{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":16,"data0":"0x00000000","data1":"0x6e6f6200","data2":"0x2e303164","data3":"0x00393331"}}}]}}]} diff --git a/tests/jsonfiles/23-rule-counter.json b/tests/jsonfiles/23-rule-counter.json index 331ab2c..95d5072 100644 --- a/tests/jsonfiles/23-rule-counter.json +++ b/tests/jsonfiles/23-rule-counter.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":23,"expr":[{"type":"counter","pkts":135,"bytes":21655}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":23,"expr":[{"type":"counter","pkts":135,"bytes":21655}]}}]} diff --git a/tests/jsonfiles/24-rule-ct.json b/tests/jsonfiles/24-rule-ct.json index 3b161f3..1aa3dd2 100644 --- a/tests/jsonfiles/24-rule-ct.json +++ b/tests/jsonfiles/24-rule-ct.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":24,"expr":[{"type":"ct","dreg":1,"key":"state"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000008"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":24,"expr":[{"type":"ct","dreg":1,"key":"state"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000008"}}}]}}]} diff --git a/tests/jsonfiles/25-rule-exthdr.json b/tests/jsonfiles/25-rule-exthdr.json index 32667a3..c40a074 100644 --- a/tests/jsonfiles/25-rule-exthdr.json +++ b/tests/jsonfiles/25-rule-exthdr.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":25,"expr":[{"type":"exthdr","dreg":1,"exthdr_type":"mh","offset":2,"len":16}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":25,"expr":[{"type":"exthdr","dreg":1,"exthdr_type":"mh","offset":2,"len":16}]}}]} diff --git a/tests/jsonfiles/26-rule-immediate.json b/tests/jsonfiles/26-rule-immediate.json index fbe7f8b..3582a39 100644 --- a/tests/jsonfiles/26-rule-immediate.json +++ b/tests/jsonfiles/26-rule-immediate.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":26,"expr":[{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"accept"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":26,"expr":[{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"accept"}}}]}}]} diff --git a/tests/jsonfiles/27-rule-limit.json b/tests/jsonfiles/27-rule-limit.json index 3ac5118..c268357 100644 --- a/tests/jsonfiles/27-rule-limit.json +++ b/tests/jsonfiles/27-rule-limit.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":27,"expr":[{"type":"limit","rate":321321,"unit":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":27,"expr":[{"type":"limit","rate":321321,"unit":0}]}}]} diff --git a/tests/jsonfiles/28-rule-log.json b/tests/jsonfiles/28-rule-log.json index ad0ca8f..1e739f1 100644 --- a/tests/jsonfiles/28-rule-log.json +++ b/tests/jsonfiles/28-rule-log.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":28,"expr":[{"type":"log","prefix":"test_chain","group":1,"snaplen":0,"qthreshold":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":28,"expr":[{"type":"log","prefix":"test_chain","group":1,"snaplen":0,"qthreshold":0}]}}]} diff --git a/tests/jsonfiles/29-rule-match.json b/tests/jsonfiles/29-rule-match.json index 78f087d..b533e77 100644 --- a/tests/jsonfiles/29-rule-match.json +++ b/tests/jsonfiles/29-rule-match.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":9,"expr":[{"type":"match","name":"state"},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":9,"expr":[{"type":"match","name":"state"},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/30-rule-lookup.json b/tests/jsonfiles/30-rule-lookup.json index 5dbf823..05576b0 100644 --- a/tests/jsonfiles/30-rule-lookup.json +++ b/tests/jsonfiles/30-rule-lookup.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":8,"expr":[{"type":"payload","dreg":1,"offset":12,"len":4,"base":"network"},{"type":"lookup","set":"set0","sreg":1,"dreg":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":8,"expr":[{"type":"payload","dreg":1,"offset":12,"len":4,"base":"network"},{"type":"lookup","set":"set0","sreg":1,"dreg":0}]}}]} diff --git a/tests/jsonfiles/31-rule-meta.json b/tests/jsonfiles/31-rule-meta.json index b52d29e..96e02e5 100644 --- a/tests/jsonfiles/31-rule-meta.json +++ b/tests/jsonfiles/31-rule-meta.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":8,"expr":[{"type":"meta","dreg":1,"key":"protocol"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":8,"expr":[{"type":"meta","dreg":1,"key":"protocol"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/32-rule-nat4.json b/tests/jsonfiles/32-rule-nat4.json index eb3ae5b..aa2b50d 100644 --- a/tests/jsonfiles/32-rule-nat4.json +++ b/tests/jsonfiles/32-rule-nat4.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":10,"expr":[{"type":"nat","nat_type":"dnat","family":"ip","sreg_addr_min":1,"sreg_addr_max":2,"sreg_proto_min":3,"sreg_proto_max":4}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":10,"expr":[{"type":"nat","nat_type":"dnat","family":"ip","sreg_addr_min":1,"sreg_addr_max":2,"sreg_proto_min":3,"sreg_proto_max":4}]}}]} diff --git a/tests/jsonfiles/33-rule-nat6.json b/tests/jsonfiles/33-rule-nat6.json index fae48d0..e5d8c8f 100644 --- a/tests/jsonfiles/33-rule-nat6.json +++ b/tests/jsonfiles/33-rule-nat6.json @@ -1 +1 @@ -{"rule":{"family":"ip6","table":"nat","chain":"output","handle":33,"expr":[{"type":"nat","nat_type":"snat","family":"ip6","sreg_addr_min":1,"sreg_addr_max":2,"sreg_proto_min":3,"sreg_proto_max":4}]}} +{"nftables":[{"rule":{"family":"ip6","table":"nat","chain":"output","handle":33,"expr":[{"type":"nat","nat_type":"snat","family":"ip6","sreg_addr_min":1,"sreg_addr_max":2,"sreg_proto_min":3,"sreg_proto_max":4}]}}]} diff --git a/tests/jsonfiles/34-rule-payload.json b/tests/jsonfiles/34-rule-payload.json index 3559ca6..7eaff41 100644 --- a/tests/jsonfiles/34-rule-payload.json +++ b/tests/jsonfiles/34-rule-payload.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"input","handle":26,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"transport"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}}},{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"accept"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"input","handle":26,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"network"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"transport"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}}},{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"accept"}}}]}}]} diff --git a/tests/jsonfiles/35-rule-target.json b/tests/jsonfiles/35-rule-target.json index c8ff656..da02921 100644 --- a/tests/jsonfiles/35-rule-target.json +++ b/tests/jsonfiles/35-rule-target.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"INPUT","handle":20,"expr":[{"type":"counter","pkts":17,"bytes":4436},{"type":"target","name":"LOG"}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"INPUT","handle":20,"expr":[{"type":"counter","pkts":17,"bytes":4436},{"type":"target","name":"LOG"}]}}]} diff --git a/tests/jsonfiles/36-rule-real.json b/tests/jsonfiles/36-rule-real.json index c8bfc26..4c5e331 100644 --- a/tests/jsonfiles/36-rule-real.json +++ b/tests/jsonfiles/36-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":36,"expr":[{"type":"payload","dreg":1,"offset":12,"len":8,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":8,"data0":"0x0100a8c0","data1":"0x6400a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":36,"expr":[{"type":"payload","dreg":1,"offset":12,"len":8,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":8,"data0":"0x0100a8c0","data1":"0x6400a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/37-rule-real.json b/tests/jsonfiles/37-rule-real.json index d9b4580..2645328 100644 --- a/tests/jsonfiles/37-rule-real.json +++ b/tests/jsonfiles/37-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":37,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":37,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}}]}}]} diff --git a/tests/jsonfiles/38-rule-real.json b/tests/jsonfiles/38-rule-real.json index ce37407..2a7640b 100644 --- a/tests/jsonfiles/38-rule-real.json +++ b/tests/jsonfiles/38-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":38,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":38,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}}]}}]} diff --git a/tests/jsonfiles/39-rule-real.json b/tests/jsonfiles/39-rule-real.json index 8529d06..5ab4fae 100644 --- a/tests/jsonfiles/39-rule-real.json +++ b/tests/jsonfiles/39-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":39,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"gte","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"cmp","sreg":1,"op":"lte","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0xfa00a8c0"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":39,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"gte","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"cmp","sreg":1,"op":"lte","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0xfa00a8c0"}}}]}}]} diff --git a/tests/jsonfiles/40-rule-real.json b/tests/jsonfiles/40-rule-real.json index f13c99e..483a1a5 100644 --- a/tests/jsonfiles/40-rule-real.json +++ b/tests/jsonfiles/40-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":40,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":40,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/41-rule-real.json b/tests/jsonfiles/41-rule-real.json index ed23fc2..d8ed85c 100644 --- a/tests/jsonfiles/41-rule-real.json +++ b/tests/jsonfiles/41-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":41,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"drop"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":41,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"drop"}}}]}}]} diff --git a/tests/jsonfiles/42-rule-real.json b/tests/jsonfiles/42-rule-real.json index 6c305e1..49f9b56 100644 --- a/tests/jsonfiles/42-rule-real.json +++ b/tests/jsonfiles/42-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":42,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"log","prefix":"(null)","group":0,"snaplen":0,"qthreshold":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":42,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"log","prefix":"(null)","group":0,"snaplen":0,"qthreshold":0}]}}]} diff --git a/tests/jsonfiles/43-rule-real.json b/tests/jsonfiles/43-rule-real.json index 95d0333..be2c6fb 100644 --- a/tests/jsonfiles/43-rule-real.json +++ b/tests/jsonfiles/43-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":43,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":43,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/44-rule-real.json b/tests/jsonfiles/44-rule-real.json index a838dbb..890e529 100644 --- a/tests/jsonfiles/44-rule-real.json +++ b/tests/jsonfiles/44-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":44,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":0,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x16000004"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":44,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":0,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x16000004"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/45-rule-real.json b/tests/jsonfiles/45-rule-real.json index 8b143d6..ed61093 100644 --- a/tests/jsonfiles/45-rule-real.json +++ b/tests/jsonfiles/45-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":45,"expr":[{"type":"payload","dreg":1,"offset":12,"len":8,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":8,"data0":"0x0100a8c0","data1":"0x6400a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":45,"expr":[{"type":"payload","dreg":1,"offset":12,"len":8,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":8,"data0":"0x0100a8c0","data1":"0x6400a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/46-rule-real.json b/tests/jsonfiles/46-rule-real.json index 28643c8..ed2431e 100644 --- a/tests/jsonfiles/46-rule-real.json +++ b/tests/jsonfiles/46-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":46,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":0,"len":8,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":8,"data0":"0x16000004","data1":"0x00000000"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":46,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":0,"len":8,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":8,"data0":"0x16000004","data1":"0x00000000"}}}]}}]} diff --git a/tests/jsonfiles/47-rule-real.json b/tests/jsonfiles/47-rule-real.json index 8f68634..828e3ef 100644 --- a/tests/jsonfiles/47-rule-real.json +++ b/tests/jsonfiles/47-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":47,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":0,"len":8,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":8,"data0":"0x16000004","data1":"0x00000000"}}}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":47,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":0,"len":8,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":8,"data0":"0x16000004","data1":"0x00000000"}}}]}}]} diff --git a/tests/jsonfiles/48-rule-real.json b/tests/jsonfiles/48-rule-real.json index 0cd835e..7f08637 100644 --- a/tests/jsonfiles/48-rule-real.json +++ b/tests/jsonfiles/48-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":48,"expr":[{"type":"meta","dreg":1,"key":"len"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":48,"expr":[{"type":"meta","dreg":1,"key":"len"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/49-rule-real.json b/tests/jsonfiles/49-rule-real.json index 445f46a..26f2672 100644 --- a/tests/jsonfiles/49-rule-real.json +++ b/tests/jsonfiles/49-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":49,"expr":[{"type":"meta","dreg":1,"key":"mark"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"counter","pkts":55,"bytes":11407}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":49,"expr":[{"type":"meta","dreg":1,"key":"mark"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"counter","pkts":55,"bytes":11407}]}}]} diff --git a/tests/jsonfiles/50-rule-real.json b/tests/jsonfiles/50-rule-real.json index 2722236..b63d722 100644 --- a/tests/jsonfiles/50-rule-real.json +++ b/tests/jsonfiles/50-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":50,"expr":[{"type":"meta","dreg":1,"key":"iif"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000001"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":50,"expr":[{"type":"meta","dreg":1,"key":"iif"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000001"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/51-rule-real.json b/tests/jsonfiles/51-rule-real.json index 3161fa4..441716e 100644 --- a/tests/jsonfiles/51-rule-real.json +++ b/tests/jsonfiles/51-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":51,"expr":[{"type":"meta","dreg":1,"key":"iifname"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":16,"data0":"0x00000000","data1":"0x00000000","data2":"0x65000000","data3":"0x00306874"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":51,"expr":[{"type":"meta","dreg":1,"key":"iifname"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":16,"data0":"0x00000000","data1":"0x00000000","data2":"0x65000000","data3":"0x00306874"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/52-rule-real.json b/tests/jsonfiles/52-rule-real.json index d4092c6..baec217 100644 --- a/tests/jsonfiles/52-rule-real.json +++ b/tests/jsonfiles/52-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":52,"expr":[{"type":"meta","dreg":1,"key":"oif"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000001"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":52,"expr":[{"type":"meta","dreg":1,"key":"oif"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000001"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/53-rule-real.json b/tests/jsonfiles/53-rule-real.json index 526c9d3..bb28dea 100644 --- a/tests/jsonfiles/53-rule-real.json +++ b/tests/jsonfiles/53-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":53,"expr":[{"type":"meta","dreg":1,"key":"oifname"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":16,"data0":"0x00000000","data1":"0x00000000","data2":"0x65000000","data3":"0x00306874"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":53,"expr":[{"type":"meta","dreg":1,"key":"oifname"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":16,"data0":"0x00000000","data1":"0x00000000","data2":"0x65000000","data3":"0x00306874"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/54-rule-real.json b/tests/jsonfiles/54-rule-real.json index edb8c18..ae3b6e8 100644 --- a/tests/jsonfiles/54-rule-real.json +++ b/tests/jsonfiles/54-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":54,"expr":[{"type":"meta","dreg":1,"key":"skuid"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":54,"expr":[{"type":"meta","dreg":1,"key":"skuid"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/55-rule-real.json b/tests/jsonfiles/55-rule-real.json index a10fc0f..69febc0 100644 --- a/tests/jsonfiles/55-rule-real.json +++ b/tests/jsonfiles/55-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":55,"expr":[{"type":"meta","dreg":1,"key":"skgid"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":55,"expr":[{"type":"meta","dreg":1,"key":"skgid"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/56-rule-real.json b/tests/jsonfiles/56-rule-real.json index 137e146..6f5f4c5 100644 --- a/tests/jsonfiles/56-rule-real.json +++ b/tests/jsonfiles/56-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":56,"expr":[{"type":"meta","dreg":1,"key":"secmark"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"counter","pkts":55,"bytes":11407}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":56,"expr":[{"type":"meta","dreg":1,"key":"secmark"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"counter","pkts":55,"bytes":11407}]}}]} diff --git a/tests/jsonfiles/57-rule-real.json b/tests/jsonfiles/57-rule-real.json index 8694ea1..da17f64 100644 --- a/tests/jsonfiles/57-rule-real.json +++ b/tests/jsonfiles/57-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":57,"expr":[{"type":"meta","dreg":1,"key":"len"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":57,"expr":[{"type":"meta","dreg":1,"key":"len"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/58-rule-real.json b/tests/jsonfiles/58-rule-real.json index 59237b6..52532f1 100644 --- a/tests/jsonfiles/58-rule-real.json +++ b/tests/jsonfiles/58-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":58,"expr":[{"type":"meta","dreg":1,"key":"protocol"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":2,"data0":"0x00000008"}}},{"type":"counter","pkts":55,"bytes":11407}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":58,"expr":[{"type":"meta","dreg":1,"key":"protocol"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":2,"data0":"0x00000008"}}},{"type":"counter","pkts":55,"bytes":11407}]}}]} diff --git a/tests/jsonfiles/59-rule-real.json b/tests/jsonfiles/59-rule-real.json index d6245b2..aa632d3 100644 --- a/tests/jsonfiles/59-rule-real.json +++ b/tests/jsonfiles/59-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":59,"expr":[{"type":"meta","dreg":1,"key":"mark"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"counter","pkts":55,"bytes":11407}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":59,"expr":[{"type":"meta","dreg":1,"key":"mark"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000000"}}},{"type":"counter","pkts":55,"bytes":11407}]}}]} diff --git a/tests/jsonfiles/60-rule-real.json b/tests/jsonfiles/60-rule-real.json index 54d5288..4b58efd 100644 --- a/tests/jsonfiles/60-rule-real.json +++ b/tests/jsonfiles/60-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":60,"expr":[{"type":"meta","dreg":1,"key":"iif"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000001"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":60,"expr":[{"type":"meta","dreg":1,"key":"iif"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x00000001"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/61-rule-real.json b/tests/jsonfiles/61-rule-real.json index 3942c3f..c6acf03 100644 --- a/tests/jsonfiles/61-rule-real.json +++ b/tests/jsonfiles/61-rule-real.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":61,"expr":[{"type":"meta","dreg":1,"key":"iifname"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":16,"data0":"0x00000000","data1":"0x00000000","data2":"0x65000000","data3":"0x00306874"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":61,"expr":[{"type":"meta","dreg":1,"key":"iifname"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":16,"data0":"0x00000000","data1":"0x00000000","data2":"0x65000000","data3":"0x00306874"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/jsonfiles/62-set.json b/tests/jsonfiles/62-set.json index 0e52f70..8a8d99c 100644 --- a/tests/jsonfiles/62-set.json +++ b/tests/jsonfiles/62-set.json @@ -1 +1 @@ -{"set":{"name":"set0","table":"filter","flags":3,"family":"ip","key_type":12,"key_len":2,"set_elem":[{"flags":0,"key":{"data_reg":{"type":"value","len":2,"data0":"0x00001700"}}},{"flags":0,"key":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}}}]}} +{"nftables":[{"set":{"name":"set0","table":"filter","flags":3,"family":"ip","key_type":12,"key_len":2,"set_elem":[{"flags":0,"key":{"data_reg":{"type":"value","len":2,"data0":"0x00001700"}}},{"flags":0,"key":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}}}]}}]} diff --git a/tests/jsonfiles/63-set.json b/tests/jsonfiles/63-set.json index 90afec3..62ccd2f 100644 --- a/tests/jsonfiles/63-set.json +++ b/tests/jsonfiles/63-set.json @@ -1 +1 @@ -{"set":{"name":"map0","table":"filter","flags":11,"family":"ip","key_type":12,"key_len":2,"data_type":4294967040,"data_len":16,"set_elem":[{"flags":0,"key":{"data_reg":{"type":"value","len":2,"data0":"0x00001700"}},"data":{"data_reg":{"type":"chain","chain":"forward"}}},{"flags":0,"key":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}},"data":{"data_reg":{"type":"chain","chain":"chain1"}}}]}} +{"nftables":[{"set":{"name":"map0","table":"f","flags":11,"family":"ip","key_type":12,"key_len":2,"data_type":4294967040,"data_len":16,"set_elem":[{"flags":0,"key":{"data_reg":{"type":"value","len":2,"data0":"0x00001700"}},"data":{"data_reg":{"type":"verdict","verdict":"goto","chain":"o"}}},{"flags":0,"key":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}},"data":{"data_reg":{"type":"verdict","verdict":"accept"}}}]}}]} diff --git a/tests/jsonfiles/64-ruleset.json b/tests/jsonfiles/64-ruleset.json index d1c22b8..3495d83 100644 --- a/tests/jsonfiles/64-ruleset.json +++ b/tests/jsonfiles/64-ruleset.json @@ -1,2 +1 @@ -{"nftables":[{"table":{"name":"filter","family":"ip","flags":0,"use":0}},{"table":{"name":"filter2","family":"ip6","flags":0,"use":0}},{"chain":{"name":"input","handle":1,"bytes":10681449,"packets":16216,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"input","prio":0,"policy":"accept"}},{"chain":{"name":"forward","handle":2,"bytes":0,"packets":0,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"forward","prio":0,"policy":"accept"}},{"chain":{"name":"output","handle":3,"bytes":2375830,"packets":15184,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"output","prio":0,"policy":"accept"}},{"chain":{"name":"chain1","handle":4,"bytes":0,"packets":0,"family":"ip","table":"filter","use":0}},{"set":{"name":"set0","table":"filter","flags":3,"family":"ip","key_type":12,"key_len":2}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":6,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"drop"}}}]}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":9,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}}},{"type":"counter","pkts":0,"bytes":0}]}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":10,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}},{"rule":{"family":"ip","table":"filter", "chain":"output","handle":11,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"drop"}}}]}}]} - +{"nftables":[{"table":{"name":"filter","family":"ip","flags":0,"use":0}},{"table":{"name":"filter2","family":"ip6","flags":0,"use":0}},{"chain":{"name":"input","handle":1,"bytes":10681449,"packets":16216,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"input","prio":0,"policy":"accept"}},{"chain":{"name":"forward","handle":2,"bytes":0,"packets":0,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"forward","prio":0,"policy":"accept"}},{"chain":{"name":"output","handle":3,"bytes":2375830,"packets":15184,"family":"ip","table":"filter","use":0,"type":"filter","hooknum":"output","prio":0,"policy":"accept"}},{"chain":{"name":"chain1","handle":4,"bytes":0,"packets":0,"family":"ip","table":"filter","use":0}},{"set":{"name":"set0","table":"filter","flags":3,"family":"ip","key_type":12,"key_len":2}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":6,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"drop"}}}]}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":9,"expr":[{"type":"payload","dreg":1,"offset":9,"len":1,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":1,"data0":"0x00000006"}}},{"type":"payload","dreg":1,"offset":2,"len":2,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":2,"data0":"0x00001600"}}},{"type":"counter","pkts":0,"bytes":0}]}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":10,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0}]}},{"rule":{"family":"ip","table":"filter","chain":"output","handle":11,"expr":[{"type":"payload","dreg":1,"offset":16,"len":4,"base":"link"},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x0100a8c0"}}},{"type":"counter","pkts":0,"bytes":0},{"type":"immediate","dreg":0,"immediatedata":{"data_reg":{"type":"verdict","verdict":"drop"}}}]}}]} diff --git a/tests/jsonfiles/65-rule-meta-target.json b/tests/jsonfiles/65-rule-meta-target.json index d058a1f..cf036bc 100644 --- a/tests/jsonfiles/65-rule-meta-target.json +++ b/tests/jsonfiles/65-rule-meta-target.json @@ -1 +1 @@ -{"rule":{"family":"ip","table":"filter","chain":"output","handle":1,"expr":[{"type":"meta","key":"mark","sreg":1},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}} +{"nftables":[{"rule":{"family":"ip","table":"filter","chain":"output","handle":1,"expr":[{"type":"meta","key":"mark","sreg":1},{"type":"cmp","sreg":1,"op":"eq","cmpdata":{"data_reg":{"type":"value","len":4,"data0":"0x000003e8"}}},{"type":"counter","pkts":0,"bytes":0}]}}]} diff --git a/tests/nft-chain-test.c b/tests/nft-chain-test.c index 80c1981..125562a 100644 --- a/tests/nft-chain-test.c +++ b/tests/nft-chain-test.c @@ -13,7 +13,7 @@ #include <string.h> #include <netinet/in.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/chain.h> +#include <libnftnl/chain.h> static int test_ok = 1; diff --git a/tests/nft-expr_bitwise-test.c b/tests/nft-expr_bitwise-test.c index d755c75..0fe5329 100644 --- a/tests/nft-expr_bitwise-test.c +++ b/tests/nft-expr_bitwise-test.c @@ -16,8 +16,8 @@ #include <netinet/ip.h> #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_byteorder-test.c b/tests/nft-expr_byteorder-test.c index 5e50da1..456d508 100644 --- a/tests/nft-expr_byteorder-test.c +++ b/tests/nft-expr_byteorder-test.c @@ -16,8 +16,8 @@ #include <netinet/ip.h> #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_cmp-test.c b/tests/nft-expr_cmp-test.c index f435bbe..f411770 100644 --- a/tests/nft-expr_cmp-test.c +++ b/tests/nft-expr_cmp-test.c @@ -16,8 +16,8 @@ #include <netinet/ip.h> #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_counter-test.c b/tests/nft-expr_counter-test.c index 70cac2b..e27d20a 100644 --- a/tests/nft-expr_counter-test.c +++ b/tests/nft-expr_counter-test.c @@ -16,8 +16,8 @@ #include <netinet/ip.h> #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_ct-test.c b/tests/nft-expr_ct-test.c index f8bd13d..341d9e6 100644 --- a/tests/nft-expr_ct-test.c +++ b/tests/nft-expr_ct-test.c @@ -16,8 +16,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; static void print_err(const char *msg) diff --git a/tests/nft-expr_exthdr-test.c b/tests/nft-expr_exthdr-test.c index 64c364c..a712903 100644 --- a/tests/nft-expr_exthdr-test.c +++ b/tests/nft-expr_exthdr-test.c @@ -16,8 +16,8 @@ #include <netinet/ip.h> #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_immediate-test.c b/tests/nft-expr_immediate-test.c index 91e8a3d..c45cefa 100644 --- a/tests/nft-expr_immediate-test.c +++ b/tests/nft-expr_immediate-test.c @@ -16,8 +16,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_limit-test.c b/tests/nft-expr_limit-test.c index c5730cc..38c3e5b 100644 --- a/tests/nft-expr_limit-test.c +++ b/tests/nft-expr_limit-test.c @@ -17,8 +17,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_log-test.c b/tests/nft-expr_log-test.c index 7590548..7e257ab 100644 --- a/tests/nft-expr_log-test.c +++ b/tests/nft-expr_log-test.c @@ -16,8 +16,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_lookup-test.c b/tests/nft-expr_lookup-test.c index 760e69c..38a2a46 100644 --- a/tests/nft-expr_lookup-test.c +++ b/tests/nft-expr_lookup-test.c @@ -16,8 +16,8 @@ #include <netinet/ip.h> #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_match-test.c b/tests/nft-expr_match-test.c index dcb9f74..96b063a 100644 --- a/tests/nft-expr_match-test.c +++ b/tests/nft-expr_match-test.c @@ -18,8 +18,8 @@ #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/xt_iprange.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_meta-test.c b/tests/nft-expr_meta-test.c index 879f2e7..9196f9c 100644 --- a/tests/nft-expr_meta-test.c +++ b/tests/nft-expr_meta-test.c @@ -16,8 +16,8 @@ #include <linux/netfilter/nf_tables.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_nat-test.c b/tests/nft-expr_nat-test.c index 35b6479..64966b2 100644 --- a/tests/nft-expr_nat-test.c +++ b/tests/nft-expr_nat-test.c @@ -17,8 +17,8 @@ #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/xt_iprange.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_payload-test.c b/tests/nft-expr_payload-test.c index d6f4e05..3ce59f9 100644 --- a/tests/nft-expr_payload-test.c +++ b/tests/nft-expr_payload-test.c @@ -17,8 +17,8 @@ #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/xt_iprange.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_queue-test.c b/tests/nft-expr_queue-test.c index eb741f4..cfe01b6 100644 --- a/tests/nft-expr_queue-test.c +++ b/tests/nft-expr_queue-test.c @@ -19,8 +19,8 @@ #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/xt_iprange.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_reject-test.c b/tests/nft-expr_reject-test.c index 23784e9..0678081 100644 --- a/tests/nft-expr_reject-test.c +++ b/tests/nft-expr_reject-test.c @@ -17,8 +17,8 @@ #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/xt_iprange.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-expr_target-test.c b/tests/nft-expr_target-test.c index 7bde348..9387779 100644 --- a/tests/nft-expr_target-test.c +++ b/tests/nft-expr_target-test.c @@ -18,8 +18,8 @@ #include <linux/netfilter/xt_iprange.h> #include <linux/netfilter/xt_LOG.h> #include <libmnl/libmnl.h> -#include <libnftables/rule.h> -#include <libnftables/expr.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> static int test_ok = 1; diff --git a/tests/nft-parsing-test.c b/tests/nft-parsing-test.c index 6a5ab4d..1786cb6 100644 --- a/tests/nft-parsing-test.c +++ b/tests/nft-parsing-test.c @@ -6,34 +6,17 @@ #include <errno.h> #include <libmnl/libmnl.h> /*nlmsghdr*/ -#include <libnftables/ruleset.h> -#include <libnftables/table.h> -#include <libnftables/chain.h> -#include <libnftables/rule.h> -#include <libnftables/set.h> - -#ifdef XML_PARSING -#include <mxml.h> -#endif - -#ifdef JSON_PARSING -#include <jansson.h> -#endif +#include <libnftnl/ruleset.h> +#include <libnftnl/table.h> +#include <libnftnl/chain.h> +#include <libnftnl/rule.h> +#include <libnftnl/set.h> enum { - TEST_XML_TABLE = 0, - TEST_XML_CHAIN, - TEST_XML_RULE, - TEST_XML_SET, TEST_XML_RULESET, - TEST_JSON_TABLE, - TEST_JSON_CHAIN, - TEST_JSON_RULE, - TEST_JSON_SET, TEST_JSON_RULESET, }; -#if defined(XML_PARSING) || defined(JSON_PARSING) static void print_detail_error(char *a, char *b) { int i; @@ -73,68 +56,13 @@ static void print_detail_error(char *a, char *b) } } -static int compare_test(uint32_t type, void *input, const char *filename) +static int compare_test(uint32_t type, struct nft_ruleset *rs, + const char *filename, FILE *fp) { - struct nft_table *t = NULL; - struct nft_chain *c = NULL; - struct nft_rule *r = NULL; - struct nft_set *s = NULL; - struct nft_ruleset *rs = NULL; char orig[4096]; char out[4096]; - FILE *fp; switch (type) { - case TEST_XML_TABLE: - case TEST_JSON_TABLE: - t = (struct nft_table *)input; - break; - case TEST_XML_CHAIN: - case TEST_JSON_CHAIN: - c = (struct nft_chain *)input; - break; - case TEST_XML_RULE: - case TEST_JSON_RULE: - r = (struct nft_rule *)input; - break; - case TEST_XML_SET: - case TEST_JSON_SET: - s = (struct nft_set *)input; - break; - case TEST_XML_RULESET: - case TEST_JSON_RULESET: - rs = (struct nft_ruleset *)input; - break; - default: - errno = EINVAL; - return -1; - } - - switch (type) { - case TEST_XML_TABLE: - nft_table_snprintf(out, sizeof(out), t, NFT_OUTPUT_XML, 0); - break; - case TEST_JSON_TABLE: - nft_table_snprintf(out, sizeof(out), t, NFT_OUTPUT_JSON, 0); - break; - case TEST_XML_CHAIN: - nft_chain_snprintf(out, sizeof(out), c, NFT_OUTPUT_XML, 0); - break; - case TEST_JSON_CHAIN: - nft_chain_snprintf(out, sizeof(out), c, NFT_OUTPUT_JSON, 0); - break; - case TEST_XML_RULE: - nft_rule_snprintf(out, sizeof(out), r, NFT_OUTPUT_XML, 0); - break; - case TEST_JSON_RULE: - nft_rule_snprintf(out, sizeof(out), r, NFT_OUTPUT_JSON, 0); - break; - case TEST_XML_SET: - nft_set_snprintf(out, sizeof(out), s, NFT_OUTPUT_XML, 0); - break; - case TEST_JSON_SET: - nft_set_snprintf(out, sizeof(out), s, NFT_OUTPUT_JSON, 0); - break; case TEST_XML_RULESET: nft_ruleset_snprintf(out, sizeof(out), rs, NFT_OUTPUT_XML, 0); @@ -148,14 +76,8 @@ static int compare_test(uint32_t type, void *input, const char *filename) return -1; } - fp = fopen(filename, "r"); - if (fp == NULL) { - perror("open"); - exit(EXIT_FAILURE); - } - + rewind(fp); fgets(orig, sizeof(orig), fp); - fclose(fp); if (strncmp(orig, out, strlen(out)) == 0) return 0; @@ -165,194 +87,78 @@ static int compare_test(uint32_t type, void *input, const char *filename) print_detail_error(orig, out); return -1; } -#endif -static int test_json(const char *filename) +static int test_json(const char *filename, struct nft_parse_err *err) { -#ifdef JSON_PARSING int ret = -1; - struct nft_table *t; - struct nft_chain *c; - struct nft_rule *r; - struct nft_set *s; struct nft_ruleset *rs; - json_t *root; - json_error_t error; - char *json; + FILE *fp; - root = json_load_file(filename, 0, &error); - if (!root) { - printf("Error on the line %d : %s", error.line, error.text); + fp = fopen(filename, "r"); + if (fp == NULL) { + printf("unable to open file %s: %s\n", filename, + strerror(errno)); return -1; } - json = json_dumps(root, JSON_INDENT(0)); - - if (json_object_get(root, "table") != NULL) { - t = nft_table_alloc(); - if (t != NULL) { - if (nft_table_parse(t, NFT_PARSE_JSON, json) == 0) - ret = compare_test(TEST_JSON_TABLE, t, filename); - else - goto failparsing; - - nft_table_free(t); - } - } else if (json_object_get(root, "chain") != NULL) { - c = nft_chain_alloc(); - if (c != NULL) { - if (nft_chain_parse(c, NFT_PARSE_JSON, json) == 0) - ret = compare_test(TEST_JSON_CHAIN, c, filename); - else - goto failparsing; - - nft_chain_free(c); - } - } else if (json_object_get(root, "rule") != NULL) { - r = nft_rule_alloc(); - if (r != NULL) { - if (nft_rule_parse(r, NFT_PARSE_JSON, json) == 0) - ret = compare_test(TEST_JSON_RULE, r, filename); - else - goto failparsing; - - nft_rule_free(r); - } - } else if (json_object_get(root, "set") != NULL) { - s = nft_set_alloc(); - if (s != NULL) { - if (nft_set_parse(s, NFT_PARSE_JSON, json) == 0) - ret = compare_test(TEST_JSON_SET, s, filename); - else - goto failparsing; + rs = nft_ruleset_alloc(); + if (rs == NULL) { + perror("nft_ruleset_alloc"); + return -1; + } - nft_set_free(s); - } - } else if (json_object_get(root, "nftables") != NULL) { - rs = nft_ruleset_alloc(); - if (rs != NULL) { - if (nft_ruleset_parse(rs, NFT_PARSE_JSON, json) == 0) - ret = compare_test(TEST_JSON_RULESET, rs, filename); - else - goto failparsing; + if (nft_ruleset_parse_file(rs, NFT_PARSE_JSON, fp, err) == 0) + ret = compare_test(TEST_JSON_RULESET, rs, filename, fp); + else + goto failparsing; - nft_ruleset_free(rs); - } - } + nft_ruleset_free(rs); + fclose(fp); - free(json); - json_decref(root); return ret; failparsing: + fclose(fp); printf("parsing %s: ", filename); printf("\033[31mFAILED\e[0m (%s)\n", strerror(errno)); - free(json); - json_decref(root); + nft_parse_perror("fail", err); return -1; -#else - printf("Compiled without support for JSON.\n"); - return -1; -#endif } -static int test_xml(const char *filename) +static int test_xml(const char *filename, struct nft_parse_err *err) { -#ifdef XML_PARSING int ret = -1; - struct nft_table *t; - struct nft_chain *c; - struct nft_rule *r; - struct nft_set *s; struct nft_ruleset *rs; FILE *fp; - mxml_node_t *tree; - char *xml; fp = fopen(filename, "r"); - tree = mxmlLoadFile(NULL, fp, MXML_NO_CALLBACK); - fclose(fp); - - if (tree == NULL) { - printf("unable to build XML tree from file " - "%s \033[31mFAILED\e[0m\n", filename); + if (fp == NULL) { + printf("unable to open file %s: %s\n", filename, + strerror(errno)); return -1; } - xml = mxmlSaveAllocString(tree, MXML_NO_CALLBACK); - if (xml == NULL) { - printf("unable to alloc string from XML tree from %s " - "\033[31mFAILED\e[0m\n", filename); + rs = nft_ruleset_alloc(); + if (rs == NULL) { + perror("nft_ruleset_alloc"); return -1; } - /* Check what parsing should be done */ - if (strcmp(tree->value.opaque, "table") == 0) { - t = nft_table_alloc(); - if (t != NULL) { - if (nft_table_parse(t, NFT_PARSE_XML, xml) == 0) - ret = compare_test(TEST_XML_TABLE, t, filename); - else - goto failparsing; - - nft_table_free(t); - } - } else if (strcmp(tree->value.opaque, "chain") == 0) { - c = nft_chain_alloc(); - if (c != NULL) { - if (nft_chain_parse(c, NFT_PARSE_XML, xml) == 0) - ret = compare_test(TEST_XML_CHAIN, c, filename); - else - goto failparsing; - - nft_chain_free(c); - } - } else if (strcmp(tree->value.opaque, "rule") == 0) { - r = nft_rule_alloc(); - if (r != NULL) { - if (nft_rule_parse(r, NFT_PARSE_XML, xml) == 0) - ret = compare_test(TEST_XML_RULE, r, filename); - else - goto failparsing; + if (nft_ruleset_parse_file(rs, NFT_PARSE_XML, fp, err) == 0) + ret = compare_test(TEST_XML_RULESET, rs, filename, fp); + else + goto failparsing; - nft_rule_free(r); - } - } else if (strcmp(tree->value.opaque, "set") == 0) { - s = nft_set_alloc(); - if (s != NULL) { - if (nft_set_parse(s, NFT_PARSE_XML, xml) == 0) - ret = compare_test(TEST_XML_SET, s, filename); - else - goto failparsing; - - nft_set_free(s); - } - } else if (strcmp(tree->value.opaque, "nftables") == 0) { - rs = nft_ruleset_alloc(); - if (rs != NULL) { - if (nft_ruleset_parse(rs, NFT_PARSE_XML, - xml) == 0) - ret = compare_test(TEST_XML_RULESET, rs, - filename); - else - goto failparsing; - - nft_ruleset_free(rs); - } - } + nft_ruleset_free(rs); + fclose(fp); - mxmlDelete(tree); return ret; failparsing: - mxmlDelete(tree); + fclose(fp); printf("parsing %s: ", filename); printf("\033[31mFAILED\e[0m (%s)\n", strerror(errno)); return -1; -#else - printf("Compiled without support for XML.\n"); - return -1; -#endif } int main(int argc, char *argv[]) @@ -361,6 +167,7 @@ int main(int argc, char *argv[]) struct dirent *dent; char path[PATH_MAX]; int ret = 0, exit_code = 0; + struct nft_parse_err *err; if (argc != 2) { fprintf(stderr, "Usage: %s <directory>\n", argv[0]); @@ -373,6 +180,12 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } + err = nft_parse_err_alloc(); + if (err == NULL) { + perror("error"); + exit(EXIT_FAILURE); + } + while ((dent = readdir(d)) != NULL) { int len = strlen(dent->d_name); @@ -383,14 +196,14 @@ int main(int argc, char *argv[]) snprintf(path, sizeof(path), "%s/%s", argv[1], dent->d_name); if (strcmp(&dent->d_name[len-4], ".xml") == 0) { - if ((ret = test_xml(path)) == 0) { + if ((ret = test_xml(path, err)) == 0) { printf("parsing and validating %s: ", path); printf("\033[32mOK\e[0m\n"); } exit_code += ret; } if (strcmp(&dent->d_name[len-5], ".json") == 0) { - if ((ret = test_json(path)) == 0) { + if ((ret = test_json(path, err)) == 0) { printf("parsing and validating %s: ", path); printf("\033[32mOK\e[0m\n"); } @@ -399,6 +212,7 @@ int main(int argc, char *argv[]) } closedir(d); + nft_parse_err_free(err); if (exit_code != 0) exit(EXIT_FAILURE); diff --git a/tests/nft-rule-test.c b/tests/nft-rule-test.c index 5b99003..80338d0 100644 --- a/tests/nft-rule-test.c +++ b/tests/nft-rule-test.c @@ -14,7 +14,7 @@ #include <netinet/in.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/rule.h> +#include <libnftnl/rule.h> static int test_ok = 1; diff --git a/tests/nft-set-test.c b/tests/nft-set-test.c index 5930af3..141dfd3 100644 --- a/tests/nft-set-test.c +++ b/tests/nft-set-test.c @@ -14,7 +14,7 @@ #include <netinet/in.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/set.h> +#include <libnftnl/set.h> static int test_ok = 1; diff --git a/tests/nft-table-test.c b/tests/nft-table-test.c index fd85f42..051163b 100644 --- a/tests/nft-table-test.c +++ b/tests/nft-table-test.c @@ -14,7 +14,7 @@ #include <netinet/in.h> #include <linux/netfilter/nf_tables.h> -#include <libnftables/table.h> +#include <libnftnl/table.h> static int test_ok = 1; diff --git a/tests/xmlfiles/01-table.xml b/tests/xmlfiles/01-table.xml index 1a11aa3..655b544 100644 --- a/tests/xmlfiles/01-table.xml +++ b/tests/xmlfiles/01-table.xml @@ -1 +1 @@ -<table><name>filter</name><family>ip</family><flags>0</flags><use>0</use></table> +<nftables><table><name>filter</name><family>ip</family><flags>0</flags><use>0</use></table></nftables> diff --git a/tests/xmlfiles/02-table.xml b/tests/xmlfiles/02-table.xml index ece0455..5de924f 100644 --- a/tests/xmlfiles/02-table.xml +++ b/tests/xmlfiles/02-table.xml @@ -1 +1 @@ -<table><name>nat</name><family>ip6</family><flags>0</flags><use>0</use></table> +<nftables><table><name>nat</name><family>ip6</family><flags>0</flags><use>0</use></table></nftables> diff --git a/tests/xmlfiles/10-chain.xml b/tests/xmlfiles/10-chain.xml index c6aa156..9c00eda 100644 --- a/tests/xmlfiles/10-chain.xml +++ b/tests/xmlfiles/10-chain.xml @@ -1 +1 @@ -<chain><name>test</name><handle>0</handle><bytes>0</bytes><packets>0</packets><table>filter</table><type>filter</type><hooknum>input</hooknum><prio>0</prio><policy>accept</policy><family>ip</family></chain> +<nftables><chain><name>test</name><handle>0</handle><bytes>0</bytes><packets>0</packets><table>filter</table><type>filter</type><hooknum>input</hooknum><prio>0</prio><policy>accept</policy><family>ip</family></chain></nftables> diff --git a/tests/xmlfiles/11-chain.xml b/tests/xmlfiles/11-chain.xml index 3423078..3d9978e 100644 --- a/tests/xmlfiles/11-chain.xml +++ b/tests/xmlfiles/11-chain.xml @@ -1 +1 @@ -<chain><name>test</name><handle>0</handle><bytes>59</bytes><packets>1</packets><table>filter</table><type>filter</type><hooknum>forward</hooknum><prio>0</prio><policy>drop</policy><family>ip6</family></chain> +<nftables><chain><name>test</name><handle>0</handle><bytes>59</bytes><packets>1</packets><table>filter</table><type>filter</type><hooknum>forward</hooknum><prio>0</prio><policy>drop</policy><family>ip6</family></chain></nftables> diff --git a/tests/xmlfiles/12-chain.xml b/tests/xmlfiles/12-chain.xml index 6afcd00..db0f56c 100644 --- a/tests/xmlfiles/12-chain.xml +++ b/tests/xmlfiles/12-chain.xml @@ -1 +1 @@ -<chain><name>foo</name><handle>100</handle><bytes>59264154979</bytes><packets>2548796325</packets><table>nat</table><type>nat</type><hooknum>postrouting</hooknum><prio>0</prio><policy>accept</policy><family>ip</family></chain> +<nftables><chain><name>foo</name><handle>100</handle><bytes>59264154979</bytes><packets>2548796325</packets><table>nat</table><type>nat</type><hooknum>postrouting</hooknum><prio>0</prio><policy>accept</policy><family>ip</family></chain></nftables> diff --git a/tests/xmlfiles/20-rule-bitwise.xml b/tests/xmlfiles/20-rule-bitwise.xml index 9517db9..756b22c 100644 --- a/tests/xmlfiles/20-rule-bitwise.xml +++ b/tests/xmlfiles/20-rule-bitwise.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="bitwise"><sreg>1</sreg><dreg>1</dreg><len>4</len><mask><data_reg type="value"><len>4</len><data0>0x0000000a</data0></data_reg></mask><xor><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></xor></expr></rule> -<!-- nft add rule filter input ct state new,established accept --> +<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="bitwise"><sreg>1</sreg><dreg>1</dreg><len>4</len><mask><data_reg type="value"><len>4</len><data0>0x0000000a</data0></data_reg></mask><xor><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></xor></expr></rule></nftables> diff --git a/tests/xmlfiles/21-rule-byteorder.xml b/tests/xmlfiles/21-rule-byteorder.xml index f8f13b6..fce4ed1 100644 --- a/tests/xmlfiles/21-rule-byteorder.xml +++ b/tests/xmlfiles/21-rule-byteorder.xml @@ -1 +1 @@ -<rule><family>ip</family><table>test</table><chain>test</chain><handle>1000</handle><expr type="byteorder"><sreg>3</sreg><dreg>4</dreg><op>hton</op><len>4</len><size>4</size></expr></rule> +<nftables><rule><family>ip</family><table>test</table><chain>test</chain><handle>1000</handle><expr type="byteorder"><sreg>3</sreg><dreg>4</dreg><op>hton</op><len>4</len><size>4</size></expr></rule></nftables> diff --git a/tests/xmlfiles/22-rule-cmp.xml b/tests/xmlfiles/22-rule-cmp.xml index 837d0de..308fb9f 100644 --- a/tests/xmlfiles/22-rule-cmp.xml +++ b/tests/xmlfiles/22-rule-cmp.xml @@ -1,2 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>test</chain><handle>36</handle><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x6e6f6200</data1><data2>0x2e303164</data2><data3>0x00393331</data3></data_reg></cmpdata></expr></rule> -<!-- nft add rule ip6 filter test meta iifname bond10.139 accept --> +<nftables><rule><family>ip6</family><table>filter</table><chain>test</chain><handle>36</handle><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x6e6f6200</data1><data2>0x2e303164</data2><data3>0x00393331</data3></data_reg></cmpdata></expr></rule></nftables> diff --git a/tests/xmlfiles/23-rule-counter.xml b/tests/xmlfiles/23-rule-counter.xml index 77aba7a..6299e84 100644 --- a/tests/xmlfiles/23-rule-counter.xml +++ b/tests/xmlfiles/23-rule-counter.xml @@ -1,2 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>test</chain><handle>39</handle><expr type="counter"><pkts>3</pkts><bytes>177</bytes></expr></rule> -<!-- nft add rule ip6 filter test udp dport 53 counter accept --> +<nftables><rule><family>ip6</family><table>filter</table><chain>test</chain><handle>39</handle><expr type="counter"><pkts>3</pkts><bytes>177</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/24-rule-ct.xml b/tests/xmlfiles/24-rule-ct.xml index 814ab52..1939e43 100644 --- a/tests/xmlfiles/24-rule-ct.xml +++ b/tests/xmlfiles/24-rule-ct.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="ct"><dreg>1</dreg><key>state</key><dir>0</dir></expr></rule> -<!-- nft add rule filter input ct state new,established accept --> +<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="ct"><dreg>1</dreg><key>state</key><dir>original</dir></expr></rule></nftables> diff --git a/tests/xmlfiles/25-rule-exthdr.xml b/tests/xmlfiles/25-rule-exthdr.xml index 6bf139c..9e10a88 100644 --- a/tests/xmlfiles/25-rule-exthdr.xml +++ b/tests/xmlfiles/25-rule-exthdr.xml @@ -1 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="exthdr"><dreg>1</dreg><exthdr_type>mh</exthdr_type><offset>2</offset><len>16</len></expr></rule> +<nftables><rule><family>ip6</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="exthdr"><dreg>1</dreg><exthdr_type>mh</exthdr_type><offset>2</offset><len>16</len></expr></rule></nftables> diff --git a/tests/xmlfiles/26-rule-immediate.xml b/tests/xmlfiles/26-rule-immediate.xml index 2928142..1258c8b 100644 --- a/tests/xmlfiles/26-rule-immediate.xml +++ b/tests/xmlfiles/26-rule-immediate.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>input</chain><handle>32</handle><expr type="immediate"><dreg>0</dreg><immediatedata><data_reg type="verdict"><verdict>accept</verdict></data_reg></immediatedata></expr></rule> -<!-- nft add rule filter input ct state new,established accept --> +<nftables><rule><family>ip</family><table>filter</table><chain>input</chain><handle>32</handle><expr type="immediate"><dreg>0</dreg><immediatedata><data_reg type="verdict"><verdict>accept</verdict></data_reg></immediatedata></expr></rule></nftables> diff --git a/tests/xmlfiles/27-rule-limit.xml b/tests/xmlfiles/27-rule-limit.xml index 6761c9e..a4398e8 100644 --- a/tests/xmlfiles/27-rule-limit.xml +++ b/tests/xmlfiles/27-rule-limit.xml @@ -1 +1 @@ -<rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="limit"><rate>123123</rate><unit>321321</unit></expr></rule> +<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="limit"><rate>123123</rate><unit>321321</unit></expr></rule></nftables> diff --git a/tests/xmlfiles/28-rule-log.xml b/tests/xmlfiles/28-rule-log.xml index d30e5fb..5865bd4 100644 --- a/tests/xmlfiles/28-rule-log.xml +++ b/tests/xmlfiles/28-rule-log.xml @@ -1,2 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>test</chain><handle>96</handle><expr type="log"><prefix>test_chain</prefix><group>1</group><snaplen>0</snaplen><qthreshold>0</qthreshold></expr></rule> -<!-- nft add rule ip6 filter test log prefix test_chain group 1 --> +<nftables><rule><family>ip6</family><table>filter</table><chain>test</chain><handle>96</handle><expr type="log"><prefix>test_chain</prefix><group>1</group><snaplen>0</snaplen><qthreshold>0</qthreshold></expr></rule></nftables> diff --git a/tests/xmlfiles/29-rule-lookup.xml b/tests/xmlfiles/29-rule-lookup.xml index b08ccd3..052b008 100644 --- a/tests/xmlfiles/29-rule-lookup.xml +++ b/tests/xmlfiles/29-rule-lookup.xml @@ -1,2 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>test</chain><handle>37</handle><expr type="lookup"><set>set0</set><sreg>1</sreg><dreg>0</dreg></expr></rule> -<!-- nft add rule ip6 filter test ip6 saddr { ::2 , ::3 } drop --> +<nftables><rule><family>ip6</family><table>filter</table><chain>test</chain><handle>37</handle><expr type="lookup"><set>set0</set><sreg>1</sreg><dreg>0</dreg></expr></rule></nftables> diff --git a/tests/xmlfiles/30-rule-match.xml b/tests/xmlfiles/30-rule-match.xml index b4cf72b..4cfe33b 100644 --- a/tests/xmlfiles/30-rule-match.xml +++ b/tests/xmlfiles/30-rule-match.xml @@ -1 +1 @@ -<rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="match"><name>state</name></expr></rule> +<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="match"><name>state</name></expr></rule></nftables> diff --git a/tests/xmlfiles/31-rule-meta.xml b/tests/xmlfiles/31-rule-meta.xml index b38e430..a1c9e8c 100644 --- a/tests/xmlfiles/31-rule-meta.xml +++ b/tests/xmlfiles/31-rule-meta.xml @@ -1,2 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>test</chain><handle>36</handle><expr type="meta"><dreg>1</dreg><key>iifname</key></expr></rule> -<!-- nft add rule ip6 filter test meta iifname bond10.139 accept --> +<nftables><rule><family>ip6</family><table>filter</table><chain>test</chain><handle>36</handle><expr type="meta"><dreg>1</dreg><key>iifname</key></expr></rule></nftables> diff --git a/tests/xmlfiles/32-rule-nat6.xml b/tests/xmlfiles/32-rule-nat6.xml index 81566ce..f96b7d8 100644 --- a/tests/xmlfiles/32-rule-nat6.xml +++ b/tests/xmlfiles/32-rule-nat6.xml @@ -1 +1 @@ -<rule><family>ip6</family><table>nat</table><chain>OUTPUT</chain><handle>100</handle><expr type="nat"><type>snat</type><family>ip6</family><sreg_addr_min>1</sreg_addr_min><sreg_addr_max>2</sreg_addr_max><sreg_proto_min>3</sreg_proto_min><sreg_proto_max>4</sreg_proto_max></expr></rule> +<nftables><rule><family>ip6</family><table>nat</table><chain>OUTPUT</chain><handle>100</handle><expr type="nat"><type>snat</type><family>ip6</family><sreg_addr_min>1</sreg_addr_min><sreg_addr_max>2</sreg_addr_max><sreg_proto_min>3</sreg_proto_min><sreg_proto_max>4</sreg_proto_max></expr></rule></nftables> diff --git a/tests/xmlfiles/33-rule-nat4.xml b/tests/xmlfiles/33-rule-nat4.xml index 0e495a8..73c5b56 100644 --- a/tests/xmlfiles/33-rule-nat4.xml +++ b/tests/xmlfiles/33-rule-nat4.xml @@ -1 +1 @@ -<rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="nat"><type>dnat</type><family>ip</family><sreg_addr_min>1</sreg_addr_min><sreg_addr_max>2</sreg_addr_max><sreg_proto_min>3</sreg_proto_min><sreg_proto_max>4</sreg_proto_max></expr></rule> +<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="nat"><type>dnat</type><family>ip</family><sreg_addr_min>1</sreg_addr_min><sreg_addr_max>2</sreg_addr_max><sreg_proto_min>3</sreg_proto_min><sreg_proto_max>4</sreg_proto_max></expr></rule></nftables> diff --git a/tests/xmlfiles/34-rule-payload.xml b/tests/xmlfiles/34-rule-payload.xml index 6c2da6a..a6faca9 100644 --- a/tests/xmlfiles/34-rule-payload.xml +++ b/tests/xmlfiles/34-rule-payload.xml @@ -1,2 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>test</chain><handle>34</handle><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr></rule> -<!-- nft add rule ip6 filter test tcp dport 22 accept --> +<nftables><rule><family>ip6</family><table>filter</table><chain>test</chain><handle>34</handle><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr></rule></nftables> diff --git a/tests/xmlfiles/35-rule-target.xml b/tests/xmlfiles/35-rule-target.xml index 6925d96..5b46350 100644 --- a/tests/xmlfiles/35-rule-target.xml +++ b/tests/xmlfiles/35-rule-target.xml @@ -1 +1 @@ -<rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="target"><name>LOG</name></expr></rule> +<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>100</handle><expr type="target"><name>LOG</name></expr></rule></nftables> diff --git a/tests/xmlfiles/36-rule-real.xml b/tests/xmlfiles/36-rule-real.xml index 1c953e7..5c8e075 100644 --- a/tests/xmlfiles/36-rule-real.xml +++ b/tests/xmlfiles/36-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>22</handle><expr type="payload"><dreg>1</dreg><offset>12</offset><len>8</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>8</len><data0>0x0100a8c0</data0><data1>0x6400a8c0</data1></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter INPUT ip saddr 192.168.0.1 ip daddr 192.168.0.100 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>22</handle><expr type="payload"><dreg>1</dreg><offset>12</offset><len>8</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>8</len><data0>0x0100a8c0</data0><data1>0x6400a8c0</data1></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/37-rule-real.xml b/tests/xmlfiles/37-rule-real.xml index 3c8ba13..d9293f6 100644 --- a/tests/xmlfiles/37-rule-real.xml +++ b/tests/xmlfiles/37-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>25</handle><expr type="meta"><dreg>1</dreg><key>iifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x00000000</data1><data2>0x65000000</data2><data3>0x00306874</data3></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x00001600</data0></data_reg></cmpdata></expr><expr type="ct"><dreg>1</dreg><key>state</key><dir>0</dir></expr><expr type="bitwise"><sreg>1</sreg><dreg>1</dreg><len>4</len><mask><data_reg type="value"><len>4</len><data0>0x0000000a</data0></data_reg></mask><xor><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></xor></expr><expr type="cmp"><sreg>1</sreg><op>neq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="log"><prefix>testprefix</prefix><group>1</group><snaplen>0</snaplen><qthreshold>0</qthreshold></expr></rule> -<!-- nft add rule filter INPUT meta iifname "eth0" tcp dport 22 ct state new,established counter log prefix testprefix group 1 --> +<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>25</handle><expr type="meta"><dreg>1</dreg><key>iifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x00000000</data1><data2>0x65000000</data2><data3>0x00306874</data3></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x00001600</data0></data_reg></cmpdata></expr><expr type="ct"><dreg>1</dreg><key>state</key><dir>original</dir></expr><expr type="bitwise"><sreg>1</sreg><dreg>1</dreg><len>4</len><mask><data_reg type="value"><len>4</len><data0>0x0000000a</data0></data_reg></mask><xor><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></xor></expr><expr type="cmp"><sreg>1</sreg><op>neq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="log"><prefix>testprefix</prefix><group>1</group><snaplen>0</snaplen><qthreshold>0</qthreshold></expr></rule></nftables> diff --git a/tests/xmlfiles/38-rule-real.xml b/tests/xmlfiles/38-rule-real.xml index 6161425..b8830b0 100644 --- a/tests/xmlfiles/38-rule-real.xml +++ b/tests/xmlfiles/38-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>30</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="lookup"><set>set3</set><sreg>1</sreg><dreg>0</dreg></expr><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x0000bb01</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="immediate"><dreg>0</dreg><immediatedata><data_reg type="verdict"><verdict>accept</verdict></data_reg></immediatedata></expr></rule> -<!-- nft add rule ip filter INPUT ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } tcp dport 443 counter accept --> +<nftables><rule><family>ip</family><table>filter</table><chain>INPUT</chain><handle>30</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="lookup"><set>set3</set><sreg>1</sreg><dreg>0</dreg></expr><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x0000bb01</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="immediate"><dreg>0</dreg><immediatedata><data_reg type="verdict"><verdict>accept</verdict></data_reg></immediatedata></expr></rule></nftables> diff --git a/tests/xmlfiles/39-rule-real.xml b/tests/xmlfiles/39-rule-real.xml index fbf3d61..9a69a61 100644 --- a/tests/xmlfiles/39-rule-real.xml +++ b/tests/xmlfiles/39-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>test</chain><handle>31</handle><expr type="meta"><dreg>1</dreg><key>iifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x00000000</data1><data2>0x6f620000</data2><data3>0x0030646e</data3></data_reg></cmpdata></expr><expr type="meta"><dreg>1</dreg><key>oifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x62000000</data1><data2>0x31646e6f</data2><data3>0x0037322e</data3></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>8</offset><len>16</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0xc09a002a</data0><data1>0x2700cac1</data1><data2>0x00000000</data2><data3>0x50010000</data3></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>6</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000011</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x00003500</data0></data_reg></cmpdata></expr><expr type="ct"><dreg>1</dreg><key>status</key><dir>0</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="log"><prefix>dns_drop</prefix><group>2</group><snaplen>0</snaplen><qthreshold>0</qthreshold></expr><expr type="immediate"><dreg>0</dreg><immediatedata><data_reg type="verdict"><verdict>drop</verdict></data_reg></immediatedata></expr></rule> -<!-- nft add rule ip6 filter test meta iifname "bond0" meta oifname "bond1.27" ip6 saddr 2a00:9ac0:c1ca:27::150 udp dport 53 ct status expected counter log prefix dns_drop group 2 drop --> +<nftables><rule><family>ip6</family><table>filter</table><chain>test</chain><handle>31</handle><expr type="meta"><dreg>1</dreg><key>iifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x00000000</data1><data2>0x6f620000</data2><data3>0x0030646e</data3></data_reg></cmpdata></expr><expr type="meta"><dreg>1</dreg><key>oifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x62000000</data1><data2>0x31646e6f</data2><data3>0x0037322e</data3></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>8</offset><len>16</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0xc09a002a</data0><data1>0x2700cac1</data1><data2>0x00000000</data2><data3>0x50010000</data3></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>6</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000011</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x00003500</data0></data_reg></cmpdata></expr><expr type="ct"><dreg>1</dreg><key>status</key><dir>original</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="log"><prefix>dns_drop</prefix><group>2</group><snaplen>0</snaplen><qthreshold>0</qthreshold></expr><expr type="immediate"><dreg>0</dreg><immediatedata><data_reg type="verdict"><verdict>drop</verdict></data_reg></immediatedata></expr></rule></nftables> diff --git a/tests/xmlfiles/40-rule-real.xml b/tests/xmlfiles/40-rule-real.xml index 8e1d565..0041ebf 100644 --- a/tests/xmlfiles/40-rule-real.xml +++ b/tests/xmlfiles/40-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>2</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr></rule> -<!-- nft add rule filter output ip daddr 192.168.0.1 --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>2</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr></rule></nftables> diff --git a/tests/xmlfiles/41-rule-real.xml b/tests/xmlfiles/41-rule-real.xml index 810267d..bd213b0 100644 --- a/tests/xmlfiles/41-rule-real.xml +++ b/tests/xmlfiles/41-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>3</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>gte</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr><expr type="cmp"><sreg>1</sreg><op>lte</op><cmpdata><data_reg type="value"><len>4</len><data0>0xfa00a8c0</data0></data_reg></cmpdata></expr></rule> -<!-- nft add rule filter output ip daddr 192.168.0.1-192.168.0.250 --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>3</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>gte</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr><expr type="cmp"><sreg>1</sreg><op>lte</op><cmpdata><data_reg type="value"><len>4</len><data0>0xfa00a8c0</data0></data_reg></cmpdata></expr></rule></nftables> diff --git a/tests/xmlfiles/42-rule-real.xml b/tests/xmlfiles/42-rule-real.xml index 6aba9eb..b5cc1bd 100644 --- a/tests/xmlfiles/42-rule-real.xml +++ b/tests/xmlfiles/42-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>4</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter output ip daddr 192.168.0.1 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>4</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/43-rule-real.xml b/tests/xmlfiles/43-rule-real.xml index 7a2fe6b..a84f513 100644 --- a/tests/xmlfiles/43-rule-real.xml +++ b/tests/xmlfiles/43-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>5</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="immediate"><dreg>0</dreg><immediatedata><data_reg type="verdict"><verdict>drop</verdict></data_reg></immediatedata></expr></rule> -<!-- nft add rule filter output ip daddr 192.168.0.1 counter drop --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>5</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="immediate"><dreg>0</dreg><immediatedata><data_reg type="verdict"><verdict>drop</verdict></data_reg></immediatedata></expr></rule></nftables> diff --git a/tests/xmlfiles/44-rule-real.xml b/tests/xmlfiles/44-rule-real.xml index 69bdca8..5a99e6f 100644 --- a/tests/xmlfiles/44-rule-real.xml +++ b/tests/xmlfiles/44-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>6</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="log"><prefix>(null)</prefix><group>0</group><snaplen>0</snaplen><qthreshold>0</qthreshold></expr></rule> -<!-- nft add rule filter output ip daddr 192.168.0.1 counter log --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>6</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr><expr type="log"><prefix>(null)</prefix><group>0</group><snaplen>0</snaplen><qthreshold>0</qthreshold></expr></rule></nftables> diff --git a/tests/xmlfiles/45-rule-real.xml b/tests/xmlfiles/45-rule-real.xml index 36837de..53fa009 100644 --- a/tests/xmlfiles/45-rule-real.xml +++ b/tests/xmlfiles/45-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>7</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x00001600</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter output tcp dport 22 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>7</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x00001600</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/46-rule-real.xml b/tests/xmlfiles/46-rule-real.xml index 8465d0f..0ddf6c8 100644 --- a/tests/xmlfiles/46-rule-real.xml +++ b/tests/xmlfiles/46-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>8</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>0</offset><len>4</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x16000004</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter output tcp sport 1024 tcp dport 22 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>8</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>0</offset><len>4</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x16000004</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/47-rule-real.xml b/tests/xmlfiles/47-rule-real.xml index 39a09a5..fde6d26 100644 --- a/tests/xmlfiles/47-rule-real.xml +++ b/tests/xmlfiles/47-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>9</handle><expr type="payload"><dreg>1</dreg><offset>12</offset><len>8</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>8</len><data0>0x0100a8c0</data0><data1>0x6400a8c0</data1></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter output ip saddr 192.168.0.1 ip daddr 192.168.0.100 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>9</handle><expr type="payload"><dreg>1</dreg><offset>12</offset><len>8</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>8</len><data0>0x0100a8c0</data0><data1>0x6400a8c0</data1></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/48-rule-real.xml b/tests/xmlfiles/48-rule-real.xml index 89c5088..547a0f6 100644 --- a/tests/xmlfiles/48-rule-real.xml +++ b/tests/xmlfiles/48-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>10</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>0</offset><len>8</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>8</len><data0>0x16000004</data0><data1>0x00000000</data1></data_reg></cmpdata></expr></rule> -<!-- nft add rule filter output tcp sequence 0 tcp sport 1024 tcp dport 22 --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>10</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>0</offset><len>8</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>8</len><data0>0x16000004</data0><data1>0x00000000</data1></data_reg></cmpdata></expr></rule></nftables> diff --git a/tests/xmlfiles/49-rule-real.xml b/tests/xmlfiles/49-rule-real.xml index 0896823..dc662a3 100644 --- a/tests/xmlfiles/49-rule-real.xml +++ b/tests/xmlfiles/49-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>11</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>0</offset><len>8</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>8</len><data0>0x16000004</data0><data1>0x00000000</data1></data_reg></cmpdata></expr></rule> -<!-- nft add rule filter output tcp sport 1024 tcp dport 22 tcp sequence 0 --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>11</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>0</offset><len>8</len><base>transport</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>8</len><data0>0x16000004</data0><data1>0x00000000</data1></data_reg></cmpdata></expr></rule></nftables> diff --git a/tests/xmlfiles/50-rule-real.xml b/tests/xmlfiles/50-rule-real.xml index 1195131..c52e00e 100644 --- a/tests/xmlfiles/50-rule-real.xml +++ b/tests/xmlfiles/50-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>12</handle><expr type="ct"><dreg>1</dreg><key>state</key><dir>0</dir></expr><expr type="bitwise"><sreg>1</sreg><dreg>1</dreg><len>4</len><mask><data_reg type="value"><len>4</len><data0>0x0000000a</data0></data_reg></mask><xor><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></xor></expr><expr type="cmp"><sreg>1</sreg><op>neq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule> -<!-- nft add rule filter output ct state new,established counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>12</handle><expr type="ct"><dreg>1</dreg><key>state</key><dir>original</dir></expr><expr type="bitwise"><sreg>1</sreg><dreg>1</dreg><len>4</len><mask><data_reg type="value"><len>4</len><data0>0x0000000a</data0></data_reg></mask><xor><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></xor></expr><expr type="cmp"><sreg>1</sreg><op>neq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/51-rule-real.xml b/tests/xmlfiles/51-rule-real.xml index 4064ffb..93d6632 100644 --- a/tests/xmlfiles/51-rule-real.xml +++ b/tests/xmlfiles/51-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>13</handle><expr type="ct"><dreg>1</dreg><key>direction</key><dir>0</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>5</pkts><bytes>160</bytes></expr></rule> -<!-- nft add rule filter output ct direction original counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>13</handle><expr type="ct"><dreg>1</dreg><key>direction</key><dir>original</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>5</pkts><bytes>160</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/52-rule-real.xml b/tests/xmlfiles/52-rule-real.xml index 6ee7459..c6ca9ec 100644 --- a/tests/xmlfiles/52-rule-real.xml +++ b/tests/xmlfiles/52-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>14</handle><expr type="ct"><dreg>1</dreg><key>direction</key><dir>0</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>50</pkts><bytes>11247</bytes></expr></rule> -<!-- nft add rule filter output ct direction reply counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>14</handle><expr type="ct"><dreg>1</dreg><key>direction</key><dir>original</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>50</pkts><bytes>11247</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/53-rule-real.xml b/tests/xmlfiles/53-rule-real.xml index ec4ea21..8cb0783 100644 --- a/tests/xmlfiles/53-rule-real.xml +++ b/tests/xmlfiles/53-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>15</handle><expr type="ct"><dreg>1</dreg><key>status</key><dir>0</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter output ct status expected counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>15</handle><expr type="ct"><dreg>1</dreg><key>status</key><dir>original</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/54-rule-real.xml b/tests/xmlfiles/54-rule-real.xml index c80d43a..0c0dc9a 100644 --- a/tests/xmlfiles/54-rule-real.xml +++ b/tests/xmlfiles/54-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>16</handle><expr type="ct"><dreg>1</dreg><key>mark</key><dir>0</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000064</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft rule add filter output ct mark 100 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>16</handle><expr type="ct"><dreg>1</dreg><key>mark</key><dir>original</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000064</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/55-rule-real.xml b/tests/xmlfiles/55-rule-real.xml index 47f2e01..fca8c99 100644 --- a/tests/xmlfiles/55-rule-real.xml +++ b/tests/xmlfiles/55-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>17</handle><expr type="ct"><dreg>1</dreg><key>secmark</key><dir>0</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule> -<!-- nft add rule filter output ct secmark 0 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>17</handle><expr type="ct"><dreg>1</dreg><key>secmark</key><dir>original</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/56-rule-real.xml b/tests/xmlfiles/56-rule-real.xml index e4965e1..1ea7f0c 100644 --- a/tests/xmlfiles/56-rule-real.xml +++ b/tests/xmlfiles/56-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>18</handle><expr type="ct"><dreg>1</dreg><key>expiration</key><dir>0</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0000001e</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter output ct expiration 30 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>18</handle><expr type="ct"><dreg>1</dreg><key>expiration</key><dir>original</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x0000001e</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/57-rule-real.xml b/tests/xmlfiles/57-rule-real.xml index 985b274..6036973 100644 --- a/tests/xmlfiles/57-rule-real.xml +++ b/tests/xmlfiles/57-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>19</handle><expr type="ct"><dreg>1</dreg><key>helper</key><dir>0</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00707466</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter output ct helper "ftp" counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>19</handle><expr type="ct"><dreg>1</dreg><key>helper</key><dir>original</dir></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00707466</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/58-rule-real.xml b/tests/xmlfiles/58-rule-real.xml index 4b456c1..d9bfe3a 100644 --- a/tests/xmlfiles/58-rule-real.xml +++ b/tests/xmlfiles/58-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>20</handle><expr type="meta"><dreg>1</dreg><key>len</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x000003e8</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule ip filter output meta length 1000 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>20</handle><expr type="meta"><dreg>1</dreg><key>len</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x000003e8</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/59-rule-real.xml b/tests/xmlfiles/59-rule-real.xml index 603fe19..6af8aa6 100644 --- a/tests/xmlfiles/59-rule-real.xml +++ b/tests/xmlfiles/59-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>21</handle><expr type="meta"><dreg>1</dreg><key>protocol</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x00000008</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule> -<!-- nft add rule ip filter output meta protocol 0x0800 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>21</handle><expr type="meta"><dreg>1</dreg><key>protocol</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>2</len><data0>0x00000008</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/60-rule-real.xml b/tests/xmlfiles/60-rule-real.xml index 66a96fe..24cf057 100644 --- a/tests/xmlfiles/60-rule-real.xml +++ b/tests/xmlfiles/60-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>22</handle><expr type="meta"><dreg>1</dreg><key>mark</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule> -<!-- nft add rule ip filter output meta mark 0 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>22</handle><expr type="meta"><dreg>1</dreg><key>mark</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/61-rule-real.xml b/tests/xmlfiles/61-rule-real.xml index 5c1340c..3aaad57 100644 --- a/tests/xmlfiles/61-rule-real.xml +++ b/tests/xmlfiles/61-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>23</handle><expr type="meta"><dreg>1</dreg><key>iif</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule ip filter output meta iif lo counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>23</handle><expr type="meta"><dreg>1</dreg><key>iif</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/62-rule-real.xml b/tests/xmlfiles/62-rule-real.xml index 6a6d381..d7935d1 100644 --- a/tests/xmlfiles/62-rule-real.xml +++ b/tests/xmlfiles/62-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>24</handle><expr type="meta"><dreg>1</dreg><key>iifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x00000000</data1><data2>0x65000000</data2><data3>0x00306874</data3></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule ip filter output meta iifname "eth0" counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>24</handle><expr type="meta"><dreg>1</dreg><key>iifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x00000000</data1><data2>0x65000000</data2><data3>0x00306874</data3></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/63-rule-real.xml b/tests/xmlfiles/63-rule-real.xml index baa13a7..f2a36f4 100644 --- a/tests/xmlfiles/63-rule-real.xml +++ b/tests/xmlfiles/63-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>25</handle><expr type="meta"><dreg>1</dreg><key>oif</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule ip filter output meta oif lo counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>25</handle><expr type="meta"><dreg>1</dreg><key>oif</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000001</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/64-rule-real.xml b/tests/xmlfiles/64-rule-real.xml index 157773f..01a8708 100644 --- a/tests/xmlfiles/64-rule-real.xml +++ b/tests/xmlfiles/64-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>26</handle><expr type="meta"><dreg>1</dreg><key>oifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x00000000</data1><data2>0x65000000</data2><data3>0x00306874</data3></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule ip filter output meta oifname "eth0" counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>26</handle><expr type="meta"><dreg>1</dreg><key>oifname</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>16</len><data0>0x00000000</data0><data1>0x00000000</data1><data2>0x65000000</data2><data3>0x00306874</data3></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/65-rule-real.xml b/tests/xmlfiles/65-rule-real.xml index 06c560b..2d59190 100644 --- a/tests/xmlfiles/65-rule-real.xml +++ b/tests/xmlfiles/65-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>27</handle><expr type="meta"><dreg>1</dreg><key>skuid</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x000003e8</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule ip filter output meta skuid 1000 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>27</handle><expr type="meta"><dreg>1</dreg><key>skuid</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x000003e8</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/66-rule-real.xml b/tests/xmlfiles/66-rule-real.xml index 9a5b721..f9d9c5e 100644 --- a/tests/xmlfiles/66-rule-real.xml +++ b/tests/xmlfiles/66-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>28</handle><expr type="meta"><dreg>1</dreg><key>skgid</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x000003e8</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule ip filter output meta skgid 1000 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>28</handle><expr type="meta"><dreg>1</dreg><key>skgid</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x000003e8</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/67-rule-real.xml b/tests/xmlfiles/67-rule-real.xml index a3cbc2d..555139c 100644 --- a/tests/xmlfiles/67-rule-real.xml +++ b/tests/xmlfiles/67-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>29</handle><expr type="meta"><dreg>1</dreg><key>secmark</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule> -<!-- nft add rule ip filter output meta secmark 0 counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>29</handle><expr type="meta"><dreg>1</dreg><key>secmark</key></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>4</len><data0>0x00000000</data0></data_reg></cmpdata></expr><expr type="counter"><pkts>55</pkts><bytes>11407</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/68-rule-real.xml b/tests/xmlfiles/68-rule-real.xml index 7023e59..a0ff9ce 100644 --- a/tests/xmlfiles/68-rule-real.xml +++ b/tests/xmlfiles/68-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>32</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="lookup"><set>set0</set><sreg>1</sreg><dreg>0</dreg></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule> -<!-- nft add rule filter output tcp dport { 22, 23 } counter --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>32</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="lookup"><set>set0</set><sreg>1</sreg><dreg>0</dreg></expr><expr type="counter"><pkts>0</pkts><bytes>0</bytes></expr></rule></nftables> diff --git a/tests/xmlfiles/69-rule-real.xml b/tests/xmlfiles/69-rule-real.xml index dc2728e..e39e2cb 100644 --- a/tests/xmlfiles/69-rule-real.xml +++ b/tests/xmlfiles/69-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>33</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="lookup"><set>set1</set><sreg>1</sreg><dreg>0</dreg></expr></rule> -<!-- nft add rule ip filter output ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>33</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="lookup"><set>set1</set><sreg>1</sreg><dreg>0</dreg></expr></rule></nftables> diff --git a/tests/xmlfiles/70-rule-real.xml b/tests/xmlfiles/70-rule-real.xml index 64834d4..6edd166 100644 --- a/tests/xmlfiles/70-rule-real.xml +++ b/tests/xmlfiles/70-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>34</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="lookup"><set>map0</set><sreg>1</sreg><dreg>0</dreg></expr></rule> -<!-- nft add rule ip filter output tcp dport vmap { 22 => jump chain1, 23 => jump chain2, } --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>34</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="lookup"><set>map0</set><sreg>1</sreg><dreg>0</dreg></expr></rule></nftables> diff --git a/tests/xmlfiles/71-rule-real.xml b/tests/xmlfiles/71-rule-real.xml index e10437a..fba3af9 100644 --- a/tests/xmlfiles/71-rule-real.xml +++ b/tests/xmlfiles/71-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>35</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="lookup"><set>map1</set><sreg>1</sreg><dreg>0</dreg></expr></rule> -<!-- nft add rule ip filter output tcp dport vmap { 22 => accept, 23 => drop, } --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>35</handle><expr type="payload"><dreg>1</dreg><offset>9</offset><len>1</len><base>network</base></expr><expr type="cmp"><sreg>1</sreg><op>eq</op><cmpdata><data_reg type="value"><len>1</len><data0>0x00000006</data0></data_reg></cmpdata></expr><expr type="payload"><dreg>1</dreg><offset>2</offset><len>2</len><base>transport</base></expr><expr type="lookup"><set>map1</set><sreg>1</sreg><dreg>0</dreg></expr></rule></nftables> diff --git a/tests/xmlfiles/72-rule-real.xml b/tests/xmlfiles/72-rule-real.xml index ccda1fe..aac8b85 100644 --- a/tests/xmlfiles/72-rule-real.xml +++ b/tests/xmlfiles/72-rule-real.xml @@ -1,2 +1 @@ -<rule><family>ip</family><table>filter</table><chain>output</chain><handle>36</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="lookup"><set>map2</set><sreg>1</sreg><dreg>0</dreg></expr></rule> -<!-- nft add rule ip filter output ip daddr vmap { 192.168.1.1 => accept, 192.168.1.2 => drop, } --> +<nftables><rule><family>ip</family><table>filter</table><chain>output</chain><handle>36</handle><expr type="payload"><dreg>1</dreg><offset>16</offset><len>4</len><base>network</base></expr><expr type="lookup"><set>map2</set><sreg>1</sreg><dreg>0</dreg></expr></rule></nftables> diff --git a/tests/xmlfiles/73-set.xml b/tests/xmlfiles/73-set.xml index 88bf402..6a9323a 100644 --- a/tests/xmlfiles/73-set.xml +++ b/tests/xmlfiles/73-set.xml @@ -1,2 +1 @@ -<set><family>ip</family><table>filter</table><name>set0</name><flags>0</flags><key_type>0</key_type><key_len>0</key_len><data_type>0</data_type><data_len>0</data_len><set_elem><flags>0</flags><key><data_reg type="value"><len>4</len><data0>0x0300a8c0</data0></data_reg></key></set_elem><set_elem><flags>0</flags><key><data_reg type="value"><len>4</len><data0>0x0200a8c0</data0></data_reg></key></set_elem><set_elem><flags>0</flags><key><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></key></set_elem></set> -<!-- nft add rule ip filter test ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } tcp dport 443 counter accept --> +<nftables><set><family>ip</family><table>filter</table><name>set0</name><flags>0</flags><key_type>0</key_type><key_len>0</key_len><data_type>0</data_type><data_len>0</data_len><set_elem><flags>0</flags><key><data_reg type="value"><len>4</len><data0>0x0300a8c0</data0></data_reg></key></set_elem><set_elem><flags>0</flags><key><data_reg type="value"><len>4</len><data0>0x0200a8c0</data0></data_reg></key></set_elem><set_elem><flags>0</flags><key><data_reg type="value"><len>4</len><data0>0x0100a8c0</data0></data_reg></key></set_elem></set></nftables> diff --git a/tests/xmlfiles/74-set.xml b/tests/xmlfiles/74-set.xml index 5b6e8f1..5f0e7ae 100644 --- a/tests/xmlfiles/74-set.xml +++ b/tests/xmlfiles/74-set.xml @@ -1,2 +1 @@ -<set><family>ip6</family><table>filter</table><name>set0</name><flags>0</flags><key_type>0</key_type><key_len>0</key_len><data_type>0</data_type><data_len>0</data_len><set_elem><flags>0</flags><key><data_reg type="value"><len>16</len><data0>0xc09a002a</data0><data1>0x2700cac1</data1><data2>0x00000000</data2><data3>0x70010000</data3></data_reg></key></set_elem><set_elem><flags>0</flags><key><data_reg type="value"><len>16</len><data0>0xc09a002a</data0><data1>0x2700cac1</data1><data2>0x00000000</data2><data3>0x50010000</data3></data_reg></key></set_elem></set> -<!-- nft add rule ip6 filter test ip6 daddr { 2a00:9ac0:c1ca:27::150, 2a00:9ac0:c1ca:27::170, } counter accept --> +<nftables><set><family>ip6</family><table>filter</table><name>set0</name><flags>0</flags><key_type>0</key_type><key_len>0</key_len><data_type>0</data_type><data_len>0</data_len><set_elem><flags>0</flags><key><data_reg type="value"><len>16</len><data0>0xc09a002a</data0><data1>0x2700cac1</data1><data2>0x00000000</data2><data3>0x70010000</data3></data_reg></key></set_elem><set_elem><flags>0</flags><key><data_reg type="value"><len>16</len><data0>0xc09a002a</data0><data1>0x2700cac1</data1><data2>0x00000000</data2><data3>0x50010000</data3></data_reg></key></set_elem></set></nftables> diff --git a/tests/xmlfiles/76-rule-meta_target.xml b/tests/xmlfiles/76-rule-meta_target.xml index 0c48ca5..970de61 100644 --- a/tests/xmlfiles/76-rule-meta_target.xml +++ b/tests/xmlfiles/76-rule-meta_target.xml @@ -1 +1 @@ -<rule><family>ip6</family><table>filter</table><chain>test</chain><handle>129</handle><expr type="meta"><key>mark</key><sreg>1</sreg></expr></rule> +<nftables><rule><family>ip6</family><table>filter</table><chain>test</chain><handle>129</handle><expr type="meta"><key>mark</key><sreg>1</sreg></expr></rule></nftables> |