summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* ruleset: fix compilation warningPablo Neira Ayuso2013-10-021-0/+1
| | | | | | | Due to missing calloc definition in stdlib.h, spotted by gcc-4.8. Reported-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add low-level ruleset APIArturo Borrero2013-10-0113-5/+925
| | | | | | | | This patch adds a low level ruleset API for libnftables. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: json: fix returned string lengthPablo Neira Ayuso2013-09-271-0/+2
| | | | | | | | Similar to (e7c068d rule: json: fix returned string length). Based on patch from Arturo. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: snprintf: fix buffer lengthsArturo Borrero2013-09-275-45/+45
| | | | | | | | Use 'len' instead of 'size' since we need the remaining unused bytes in the buffer, not its total size. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: xml: avoid code duplicationArturo Borrero2013-09-271-23/+9
| | | | | | | This patch removes 3x code duplication in the XML snprintf function. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: json: fix returned string lengthAlvaro Neira Ayuso2013-09-251-1/+3
| | | | | | | It was returning one byte more than the real string length. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-get: retrieve all sets per familyPablo Neira Ayuso2013-09-241-5/+6
| | | | | | | | | | | Likewise other nftables objects, this patch allows you to dump the sets per family. This is possible since kernel changes (netfilter: nf_tables: allow to dump all existing sets), we can get the full list of sets per family. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: json: fix wrong indentation in nft_rule_snprintf_jsonPablo Neira Ayuso2013-09-241-7/+7
| | | | | | Comestic cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: get rid of NFTA_RULE_FLAGSPablo Neira Ayuso2013-09-242-16/+0
| | | | | | | It has been removed after (netfilter: nf_tables: all rule updates are transactional). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace size_t by uint32_t in set/get interfacesPablo Neira Ayuso2013-09-1922-52/+52
| | | | | | | | | | | | This patch breaks the ABI to shrink the size parameter from 8 to 4 bytes in x86_64. The maximum length of netlink attributes is 2 bytes, so 4 bytes as attribute payload length should be enough. After this patch, size_t is only used in the nft_*_snprintf interfaces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: don't put NFTA_RULE_EXPRESSION into messagesPablo Neira Ayuso2013-09-171-4/+6
| | | | | | | | If there are no expressions in this rule, skip the NFTA_RULE_EXPRESSION attribute, otherwise it will be empty. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_delPablo Neira Ayuso2013-09-178-1/+25
| | | | | | | This allows us to delete object from the list, note that nft_chain_list_del already existed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix build errorArturo Borrero Gonzalez2013-09-161-0/+4
| | | | | | | | This declaration was missing and is needed in case you compile libnftables without XML parsing support. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: refactor XML parsing codeArturo Borrero Gonzalez2013-09-167-105/+122
| | | | | | | | | | | This patch refactors nft_*_xml_parse to provide a new intermediate function nft_mxml_parse_* which will allow us to navigate an entire XML tree containing a ruleset without xml2text2xml conversions. While at it, I added a helper to build the XML tree and validate the top node name. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* src: xml: avoid unecessary tree to text to tree conversionsArturo Borrero Gonzalez2013-09-163-195/+50
| | | | | | | | This patch avoid several tree to text to tree conversions in the XML parsing helpers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: add parsing optional/mandatory flagArturo Borrero Gonzalez2013-09-1624-130/+171
| | | | | | | | | | | Add an optional/mandatory flag to XML parsing. In some elements (ie regs), no flag is used because is always mandatory. DATA_NONE is created to indicate a non-parsed data_reg. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix compilation warningÁlvaro Neira Ayuso2013-09-151-0/+1
| | | | | Signed-off-by: Álvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: use real length when fetching attributesFlorian Westphal2013-09-141-2/+6
| | | | | | | | | | | | | NFTA_LOG_SNAPLEN is u32 and NFTA_LOG_QTHRESHOLD is u16. Without this, netlink messages from kernel fail mnl_validate step when QTHRESH or SNAPLEN was set. Also, nft_rule_expr_log_get must update data_length, else 'nft list' doesn't show log arguments (prefix, group ..) because the netlink message decoding uses nft_rule_expr_get_u16/32 etc. which validate the length, too. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: refactor json parsing to allow tree based navigationÁlvaro Neira Ayuso2013-09-134-44/+81
| | | | | | | | | | This patch refactors nft_*_json_parse to provide a new intermediate function nft_jansson_parse_chain which will allows us to navigate the entire json tree containing the ruleset. Signed-off-by: Álvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: use helper function nft_jansson_free_rootÁlvaro Neira Ayuso2013-09-131-2/+2
| | | | | Signed-off-by: Álvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: use human readable netfilter hookPablo Neira Ayuso2013-09-057-23/+49
| | | | | | | | | Since (108d9f6 src: Wrap netfilter hooks around human readable strings) in nft, we have to use human readable netfilter hooks. This patch also adapts the XML and JSON tests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-{chain,rule,table}-get allows unspec familyPablo Neira Ayuso2013-09-053-3/+9
| | | | | | To obtain any table, chain and rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: display configuration after ./configurePablo Neira Ayuso2013-09-051-2/+12
| | | | | | | | libnftables configuration: XML support: no JSON support: no Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: xml: fix key_type parsingArturo Borrero2013-09-051-1/+1
| | | | | | | Bug introduced by myself at 44928cd5 [set: add XML parsing] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: xml: fix parsing of optional attributesArturo Borrero2013-09-044-50/+46
| | | | | | | This patch fixes the parsing of custom chains in XML. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Add nft-set-json-addÁlvaro Neira Ayuso2013-08-282-0/+120
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: set: add json parsing supportÁlvaro Neira Ayuso2013-08-283-0/+13
| | | | | | | Test the functions for parsing set in JSON. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Add json parser supportÁlvaro Neira Ayuso2013-08-284-0/+138
| | | | | | | Add function for parsing set in format JSON. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: remove unnecessary variable initializationÁlvaro Neira Ayuso2013-08-281-10/+10
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: s/nft_jansson_value_parse_reg/nft_jansson_parse_reg/gPablo Neira Ayuso2013-08-2411-26/+21
| | | | | | | | This patch is a cleanup to save LOC. I have also changed it to use < 0 to check for error conditions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: s/nft_jansson_value_parse_val/nft_jansson_parse_val/gPablo Neira Ayuso2013-08-2415-60/+37
| | | | | | | | This patch is a cleanup to save LOC. I have also changed it to use < 0 to check for error conditions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: s/nft_jansson_value_parse_str/nft_jansson_parse_str/gPablo Neira Ayuso2013-08-2417-31/+30
| | | | | | Remove _value_ infix to make the function name smaller. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: xml/json: support rule position attributeArturo Borrero2013-08-241-0/+32
| | | | | | | | Note that the position attr is optional as stated in net/netfilter/nf_tables_api.c Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify nft_*_parse input dataArturo Borrero Gonzalez2013-08-2211-20/+22
| | | | | | | Since the input string is not changing, let's make it constant. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Add nft-rule-json-addÁlvaro Neira Ayuso2013-08-202-0/+119
| | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
* tests: rule: add json parsing supportÁlvaro Neira Ayuso2013-08-2043-0/+53
| | | | | | Test the functions for parsing rules in JSON. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
* rule: Add json parser supportÁlvaro Neira Ayuso2013-08-2022-2/+839
| | | | | | | Add function for parsing rules in JSON format Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: fix error path for nft_strtoiArturo Borrero2013-08-201-3/+4
| | | | | | | | If the return of nft_get_value() is not evaluated, we don't know if the parsed value is between the limits of its type. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix memory leaks in jansson testÁlvaro Neira Ayuso2013-08-171-2/+4
| | | | | | | Fixed a string leak and a jansson leak. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: fixed some leaks in the json parsing functionÁlvaro Neira Ayuso2013-08-174-19/+42
| | | | | | | | | This patch fixes some leaks in the json parsing function. After this patch, we use nft_jansson_free_root. This function uses json_decref and it decrements the reference count and it releases the node if needed. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nft_rule_expr_get_u16 and nft_rule_expr_set_u16Pablo Neira Ayuso2013-08-173-0/+27
| | | | | | Now required since log has two u16 fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: group and qthreshold are 16 bits longPablo Neira Ayuso2013-08-151-13/+17
| | | | | | Since kernel patch: netfilter: nft_log: group and qthreshold are 2^16 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: xml: consolidate error pathPablo Neira Ayuso2013-08-141-45/+23
| | | | | | Save a good bunch of lines of code with this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: xml: use nft_mxml_str_parsePablo Neira Ayuso2013-08-141-19/+13
| | | | | | Replace existing code to use nft_mxml_str_parse. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: don't duplicate string in nft_table_xml_parsePablo Neira Ayuso2013-08-146-12/+7
| | | | | | | | | | | With this patch, nft_table_xml_parse does not duplicate the string anymore, which is what most callers seem to need. This fixes memleaks in several places in the code. Thus, this patch also adapts the code to duplicate it when needed. Based on patch from Arturo Borrero. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: release expressions that are part of rulesPablo Neira Ayuso2013-08-141-0/+5
| | | | | | | | | | | | ==11917== 96 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11917== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==11917== by 0x4E3A46F: nft_rule_expr_alloc (expr.c:38) ==11917== by 0x4E3A331: nft_jansson_expr_parse (jansson.c:165) ==11917== by 0x4E36F66: nft_rule_json_parse (rule.c:542) ==11917== by 0x400EA4: main (nft-rule-json-add.c:68) Reported-by: Álvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: fix wrong node name in snprintfArturo Borrero2013-08-123-5/+5
| | | | | | | | | | | | | | This patch renames all <nat_type> nodes to <type> in nat expr. A bug is fixed, since the default option in snprintf was already <type>. This follows the pattern of avoid prefixing XML nodes. Note that this is mostly reverting what was done at: 31e34c3 (nat: xml: rename node type to nat_type). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: xml: delete <use> nodeArturo Borrero2013-08-124-5/+5
| | | | | | | | Since the 'use' attribute in a chain can't be set, ignore it in the XML printing. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xml: reorder XML elements in setsArturo Borrero2013-08-122-2/+2
| | | | | | | | Some node reorganization in order to have an input file equal to what set_snprintf will output. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xml: expr: limit: fix wrong assignation when parsingArturo Borrero2013-08-121-1/+1
| | | | | | | | | | This assignation was wrong. Introduced at commit e13819c (src: xml: consolidate common XML code via nft_mxml_num_parse). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>