| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Add the set ID (u32) which allows us to uniquely identify the set
in the batch that is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When _snprintf() reports it would print n characters, that n doesn't include
the trailing \0 that snprintf adds.
Thus, we need to [re]allocate n+1 characters.
While at it, change the reallocation trigger. If the length of the buffer we
used is equals to the expanded string length, the output has been truncated.
In other words, if ret == bufsiz, then the trailing \0 is missing.
Also, check if _snprintf() returned < 0, which means an error ocurred.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to store in 'offset' the complete amount of characters as returned
from _snprintf. The value means how many characters long needs the buffer to be
in order to store the corresponding string expansion.
Before this patch, in cases where the buffer is smaller than the
expansion, then ret > len, and therefore ret = len.
So when incrementing offset, we do it with a wrong value.
All previous versions of libnftnl are unable to handle this situations: small
buffers (or long string expansion).
BTW, if a caller must reallocate a buffer to the returned value of snprintf, it
should be ret + 1.
While at it, let's add a check to know if the last snprintf call failed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
These calls need to use the new buffer size, instead of the
size that the buffer originally had.
Bugs introduced by myself at dec68741 [data_reg: fix verdict format approach].
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This snprintf call is taking an erroneous value for size.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
|
|
|
|
|
|
|
|
| |
We can't unconditionally print out these strings.
Before this patch, objects being printed will be treated as an 'unkown' event.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
# ./nft-events xml
<event><type>new</type><chain><name>xxx</name><handle>9</handle><bytes>0</bytes><packets>0</packets><table>test</table><family>ip</family></chain></event>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Reported-by: Kevin Fenzi <kevin@scrye.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Let's use the new event wrappers in the events example.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch uses the flag option of each output function to print an
event wrapper string in each object.
In order to use this functionality, the caller must pass the
corresponding flags: NFT_OF_EVENT_NEW / NFT_OF_EVENT_DEL.
(I have slightly refactorized the original code to add the xml/json
header and footer --pablo).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Reported-by: Kevin Fenzi <kevin@scrye.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add support for dedicated bridge meta key, related to device names:
- NFT_META_BRI_IIFNAME
- NFT_META_BRI_OIFNAME
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CC chain.lo
../../src/chain.c: In function 'nft_hooknum2str':
../../src/chain.c:53:7: error: 'NFPROTO_INET' undeclared (first use in this function)
../../src/chain.c:53:7: note: each undeclared identifier is reported only once for each function it appears in
make[3]: *** [chain.lo] Error 1
make[3]: se sale del directorio `/home/pablo/devel/scm/git-netfilter/libnftnl/libnftnl-1.0.1/_build/src'
make[2]: *** [all-recursive] Error 1
make[2]: se sale del directorio `/home/pablo/devel/scm/git-netfilter/libnftnl/libnftnl-1.0.1/_build'
make[1]: *** [all] Error 2
make[1]: se sale del directorio `/home/pablo/devel/scm/git-netfilter/libnftnl/libnftnl-1.0.1/_build'
make: *** [distcheck] Error 1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind reports the following invalid read:
$ sudo valgrind ./nft-parsing-test -f ../jsonfiles/30-rule-lookup.json
==26664== Memcheck, a memory error detector
==26664== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==26664== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==26664== Command: ./nft-parsing-test -f ../jsonfiles/30-rule-lookup.json
==26664==
==26664== Invalid read of size 8
==26664== at 0x4E45490: nft_rule_expr_lookup_set (lookup.c:50)
==26664== by 0x4E40B04: nft_rule_expr_set (expr.c:73)
==26664== by 0x4E44FFF: nft_rule_expr_lookup_json_parse (lookup.c:157)
==26664== by 0x4E408CD: nft_jansson_expr_parse (jansson.c:206)
==26664== by 0x4E3B719: nft_jansson_parse_rule (rule.c:606)
==26664== by 0x4E3F005: nft_ruleset_do_parse (ruleset.c:312)
==26664== by 0x401479: test_json (nft-parsing-test.c:129)
==26664== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26664== by 0x400EBB: main (nft-parsing-test.c:332)
==26664== Address 0x5c34d40 is 0 bytes inside a block of size 5 alloc'd
==26664== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26664== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664==
==26664== Invalid read of size 8
==26664== at 0x4E45497: nft_rule_expr_lookup_set (lookup.c:50)
==26664== by 0x4E40B04: nft_rule_expr_set (expr.c:73)
==26664== by 0x4E44FFF: nft_rule_expr_lookup_json_parse (lookup.c:157)
==26664== by 0x4E408CD: nft_jansson_expr_parse (jansson.c:206)
==26664== by 0x4E3B719: nft_jansson_parse_rule (rule.c:606)
==26664== by 0x4E3F005: nft_ruleset_do_parse (ruleset.c:312)
==26664== by 0x401479: test_json (nft-parsing-test.c:129)
==26664== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26664== by 0x400EBB: main (nft-parsing-test.c:332)
==26664== Address 0x5c34d48 is 3 bytes after a block of size 5 alloc'd
==26664== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26664== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
Signed-off-by: Ana Rey <anarey@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind reports the following memory leak:
valgrind --leak-check=full ./nft-parsing-test -f jsonfiles/63-set.json
==7131== HEAP SUMMARY:
==7131== in use at exit: 2 bytes in 1 blocks
==7131== total heap usage: 155 allocs, 154 frees, 6,497 bytes allocated
==7131==
==7131== 2 bytes in 1 blocks are definitely lost in loss record 1 of 1
==7131== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==7131== by 0x590B829: strdup (strdup.c:42)
==7131== by 0x4E4341A: nft_data_reg_json_parse (data_reg.c:55)
==7131== by 0x4E4093A: nft_jansson_data_reg_parse (jansson.c:231)
==7131== by 0x4E40A1B: nft_jansson_et_elem_parse (jansson.c:257)
==7131== by 0x4E3CECA: nft_jansson_parse_set (set.c:398)
==7131== by 0x4E3EC65: nft_ruleset_do_parse (ruleset.c:263)
==7131== by 0x401479: test_json (nft-parsing-test.c:129)
==7131== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==7131== by 0x400EBB: main (nft-parsing-test.c:332)
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind reports the following invalid read:
$ sudo valgrind --leak-check=full ./nft-parsing-test -f ../jsonfiles/35-rule-target.json
( and similar result with jsonfiles/29-rule-match.json file)
==26018== Invalid read of size 8
==26018== at 0x4E484E3: nft_rule_expr_target_set (target.c:46)
==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018== by 0x401479: test_json (nft-parsing-test.c:129)
==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018== by 0x400EBB: main (nft-parsing-test.c:332)
==26018== Address 0x5c34a60 is 0 bytes inside a block of size 4 alloc'd
==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 8
==26018== at 0x4E484ED: nft_rule_expr_target_set (target.c:46)
==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018== by 0x401479: test_json (nft-parsing-test.c:129)
==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018== by 0x400EBB: main (nft-parsing-test.c:332)
==26018== Address 0x5c34a68 is 4 bytes after a block of size 4 alloc'd
==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 8
==26018== at 0x4E484F5: nft_rule_expr_target_set (target.c:46)
==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018== by 0x401479: test_json (nft-parsing-test.c:129)
==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018== by 0x400EBB: main (nft-parsing-test.c:332)
==26018== Address 0x5c34a70 is 12 bytes after a block of size 4 alloc'd
==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 4
==26018== at 0x4E484FD: nft_rule_expr_target_set (target.c:46)
==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018== by 0x401479: test_json (nft-parsing-test.c:129)
==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018== by 0x400EBB: main (nft-parsing-test.c:332)
==26018== Address 0x5c34a78 is 20 bytes after a block of size 4 alloc'd
==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Free nft_parse_err struct when there is an error in execute_test function.
It solves the following memory leak shown by valgrind.
==7845== 24 bytes in 1 blocks are still reachable in loss record 1 of 2
==7845== at 0x4C29590: calloc (vg_replace_malloc.c:618)
==7845== by 0x401740: execute_test_file (nft-parsing-test.c:249)
==7845== by 0x400EBB: main (nft-parsing-test.c:330)
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Add new command-line argument "-f <file>" to check a json or xml
testfile.
./nft-parsing-test -f <file> Check this testfile.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New tools to updata testfiles when the structure of xml or json files
are changed.
It adds a new command-line argument in nft-parsing-test.
With nft-parsing-test -u <directory>, you can update test files in
<directory> with a new structure of xml or json file.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It deletes the immediatedata label in the structure of json and xml file.
Example of the old structure of xmlfile:
<nftables>
<rule>
<family>ip</family>
<table>filter</table>
<chain>input</chain>
<handle>32</handle>
<expr type="immediate">
<dreg>0</dreg>
<immediatedata>
<data_reg type="verdict">
<verdict>accept</verdict>
</data_reg>
</immediatedata>
</expr>
</rule>
</nftables>
Example of the new structure of xmlfile:
<nftables>
<rule>
<family>ip</family>
<table>filter</table>
<chain>input</chain>
<handle>32</handle>
<expr type="immediate">
<dreg>0</dreg>
<data_reg type="verdict">
<verdict>accept</verdict>
</data_reg>
</expr>
</rule>
</nftables>
To generate the new testfiles, It use the option -u of nft-parsing-test
script.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It delete the cmpdata label in the structure of json and xml file.
Example of xmlfile:
The old structure of xml file:
[...]
<expr type="cmp">
<sreg>1</sreg>
<op>eq</op>
<cmpdata>
<data_reg type="value">
<len>4</len>
<data0>0x0100a8c0</data0>
</data_reg>
</cmpdata>
</expr>
The new structure of json file:
[...]
<expr type="cmp">
<sreg>1</sreg>
<op>eq</op>
<data_reg type="value">
<len>4</len>
<data0>0x0100a8c0</data0>
</data_reg>
</expr>
[...]
To generate the new testfiles, It use the option -u of nft-parsing-test
script.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Complete nft-events example by adding a basic set & set_elem event
notification.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you try to obtain an unset attribute, you hit an assertion error
that should not happen. Fix this by checking if the attribute is
unset, otherwise skip the assertion checking.
Now that we have that nft_assert takes the data parameter, we can also
validate if someone is using the setter passing NULL, which is illegal.
So let's add an assertion for that as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Lets obtain the family from the Netlink message.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use getopt_long to parse the command-line arguments and
prepare it to add new arguments in next patches.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This example doesn't exist anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
There is no function called 'nft_set_elem_nlmsg_parse()'
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This change allow us to parser the rule and the kernel
bail out if the rule is well-formed.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We print some attribute that maybe the user hasn't defined
for printing. We can't assume that the user want to print
some attribute that we have put mandatory in the rules.
Example:
If we have defined family, the output is like that:
{"rule":{"family":"ip","handle":4...
<rule><family>ip</family><handle>4</handle>...
And this if we unset the family.
{"rule":{"handle":4...
<rule><handle>4</handle>...
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removed this code because with that we have a strange
output. Example:
we have a rule with handle 4 and we execute
nft-rule-del ip filter input 4
Output: unknown filter input 4 0
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Merged the example for inserting rules and fixed for using
the correct header.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Fix the example for deleting rules. Before this patch,
the program tried to delete the rule without using
the correct header.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This allows us to manipulate the user data area of the rule.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
We have to check if mnl_attr_parse() returns an error, which means that it
failed to validate and retrieve the attributes.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
The nft_mnl_batch_talk() is overly complicated for a simple example
that just adds one single rule. Simplify this to prepare the merge
of nft-rule-insert, which looks very similar.
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This fixes assertions in the test files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds two functions that allows you to validate the size
of the attribute. This new functions provide a replacement for
nft_rule_attr_set and nft_rule_attr_get.
The data_len parameter was already passed to the {_set|_get} funcion
in expressions. For consistency, add nft_rule_expr_{set|get}_data
alias.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This will be used to validate that the size is correct according
to the expected attribute size.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This allows us to remove the default case in the switch, which
show help to spot missing attribute support since gcc will spot
a compilation warning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This got lost in 29fd6a1df9 when merging major changes in master
to next-3.14.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
For some reason this was only printed in custom chains. Print it for
any chain, this is useful for debugging purposes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch includes changes to adapt this branch to the library
rename that happened in the master branch.
Conflicts:
src/Makefile.am
src/expr/cmp.c
src/expr/ct.c
src/expr/data_reg.c
src/expr/meta.c
tests/jsonfiles/01-table.json
tests/jsonfiles/02-table.json
tests/jsonfiles/64-ruleset.json
tests/xmlfiles/01-table.xml
tests/xmlfiles/02-table.xml
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes the following compilation warning when compiling with old
kernel headers.
CC expr/target.lo
expr/target.c: In function ‘nft_rule_expr_target_build’:
expr/target.c:127: warning: implicit declaration of function ‘__ALIGN_KERNEL’
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes:
/usr/local/include/libnftnl/common.h:25:49: error: unknown type name ‘uint16_t’
/usr/local/include/libnftnl/common.h:25:63: error: unknown type name ‘uint16_t’
/usr/local/include/libnftnl/common.h:26:10: error: unknown type name ‘uint16_t’
/usr/local/include/libnftnl/common.h:26:25: error: unknown type name ‘uint32_t’
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If no xml/json support is explicitly enabled, the final report
does not show "no". This patch fixes this:
libnftnl configuration:
XML support: no
JSON support: no
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
2.6.32 headers in /usr/include/linux again.
Ship a copy of x_tables.h from Linux 3.11.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|