summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* common: fix unconditional output of event wrapping stuffArturo Borrero2014-04-281-0/+3
| | | | | | | | | We can't unconditionally print out these strings. Before this patch, objects being printed will be treated as an 'unkown' event. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-events: add option how to format the printed eventsPablo Neira Ayuso2014-04-261-19/+41
| | | | | | | # ./nft-events xml <event><type>new</type><chain><name>xxx</name><handle>9</handle><bytes>0</bytes><packets>0</packets><table>test</table><family>ip</family></chain></event> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: include xml and json test files via make distcheckPablo Neira Ayuso2014-04-261-1/+3
| | | | | Reported-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-events: use new events wrappersArturo Borrero2014-04-261-15/+31
| | | | | | | Let's use the new event wrappers in the events example. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flag to add event wrapping in output functionsArturo Borrero2014-04-269-34/+224
| | | | | | | | | | | | | | This patch uses the flag option of each output function to print an event wrapper string in each object. In order to use this functionality, the caller must pass the corresponding flags: NFT_OF_EVENT_NEW / NFT_OF_EVENT_DEL. (I have slightly refactorized the original code to add the xml/json header and footer --pablo). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: include test-script.sh via make distcheckPablo Neira Ayuso2014-04-251-0/+2
| | | | | Reported-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Add support for input and output bridge interface nameTomasz Bursztyka2014-04-242-1/+7
| | | | | | | | | Add support for dedicated bridge meta key, related to device names: - NFT_META_BRI_IIFNAME - NFT_META_BRI_OIFNAME Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.0.1libnftnl-1.0.1Pablo Neira Ayuso2014-04-171-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add missing netfilter.hPablo Neira Ayuso2014-04-171-0/+2
| | | | | | | | | | | | | | | | CC chain.lo ../../src/chain.c: In function 'nft_hooknum2str': ../../src/chain.c:53:7: error: 'NFPROTO_INET' undeclared (first use in this function) ../../src/chain.c:53:7: note: each undeclared identifier is reported only once for each function it appears in make[3]: *** [chain.lo] Error 1 make[3]: se sale del directorio `/home/pablo/devel/scm/git-netfilter/libnftnl/libnftnl-1.0.1/_build/src' make[2]: *** [all-recursive] Error 1 make[2]: se sale del directorio `/home/pablo/devel/scm/git-netfilter/libnftnl/libnftnl-1.0.1/_build' make[1]: *** [all] Error 2 make[1]: se sale del directorio `/home/pablo/devel/scm/git-netfilter/libnftnl/libnftnl-1.0.1/_build' make: *** [distcheck] Error 1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* lookup: Fix an invalid readAna Rey2014-04-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports the following invalid read: $ sudo valgrind ./nft-parsing-test -f ../jsonfiles/30-rule-lookup.json ==26664== Memcheck, a memory error detector ==26664== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==26664== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info ==26664== Command: ./nft-parsing-test -f ../jsonfiles/30-rule-lookup.json ==26664== ==26664== Invalid read of size 8 ==26664== at 0x4E45490: nft_rule_expr_lookup_set (lookup.c:50) ==26664== by 0x4E40B04: nft_rule_expr_set (expr.c:73) ==26664== by 0x4E44FFF: nft_rule_expr_lookup_json_parse (lookup.c:157) ==26664== by 0x4E408CD: nft_jansson_expr_parse (jansson.c:206) ==26664== by 0x4E3B719: nft_jansson_parse_rule (rule.c:606) ==26664== by 0x4E3F005: nft_ruleset_do_parse (ruleset.c:312) ==26664== by 0x401479: test_json (nft-parsing-test.c:129) ==26664== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26664== by 0x400EBB: main (nft-parsing-test.c:332) ==26664== Address 0x5c34d40 is 0 bytes inside a block of size 5 alloc'd ==26664== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26664== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== ==26664== Invalid read of size 8 ==26664== at 0x4E45497: nft_rule_expr_lookup_set (lookup.c:50) ==26664== by 0x4E40B04: nft_rule_expr_set (expr.c:73) ==26664== by 0x4E44FFF: nft_rule_expr_lookup_json_parse (lookup.c:157) ==26664== by 0x4E408CD: nft_jansson_expr_parse (jansson.c:206) ==26664== by 0x4E3B719: nft_jansson_parse_rule (rule.c:606) ==26664== by 0x4E3F005: nft_ruleset_do_parse (ruleset.c:312) ==26664== by 0x401479: test_json (nft-parsing-test.c:129) ==26664== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26664== by 0x400EBB: main (nft-parsing-test.c:332) ==26664== Address 0x5c34d48 is 3 bytes after a block of size 5 alloc'd ==26664== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26664== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) Signed-off-by: Ana Rey <anarey@gmail.com>
* set-elem: fix a memory leakAna Rey2014-04-161-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports the following memory leak: valgrind --leak-check=full ./nft-parsing-test -f jsonfiles/63-set.json ==7131== HEAP SUMMARY: ==7131== in use at exit: 2 bytes in 1 blocks ==7131== total heap usage: 155 allocs, 154 frees, 6,497 bytes allocated ==7131== ==7131== 2 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==7131== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==7131== by 0x590B829: strdup (strdup.c:42) ==7131== by 0x4E4341A: nft_data_reg_json_parse (data_reg.c:55) ==7131== by 0x4E4093A: nft_jansson_data_reg_parse (jansson.c:231) ==7131== by 0x4E40A1B: nft_jansson_et_elem_parse (jansson.c:257) ==7131== by 0x4E3CECA: nft_jansson_parse_set (set.c:398) ==7131== by 0x4E3EC65: nft_ruleset_do_parse (ruleset.c:263) ==7131== by 0x401479: test_json (nft-parsing-test.c:129) ==7131== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==7131== by 0x400EBB: main (nft-parsing-test.c:332) Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* target, match: Fix an invalid readAna Rey2014-04-142-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports the following invalid read: $ sudo valgrind --leak-check=full ./nft-parsing-test -f ../jsonfiles/35-rule-target.json ( and similar result with jsonfiles/29-rule-match.json file) ==26018== Invalid read of size 8 ==26018== at 0x4E484E3: nft_rule_expr_target_set (target.c:46) ==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73) ==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185) ==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206) ==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606) ==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312) ==26018== by 0x401479: test_json (nft-parsing-test.c:129) ==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26018== by 0x400EBB: main (nft-parsing-test.c:332) ==26018== Address 0x5c34a60 is 0 bytes inside a block of size 4 alloc'd ==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== ==26018== Invalid read of size 8 ==26018== at 0x4E484ED: nft_rule_expr_target_set (target.c:46) ==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73) ==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185) ==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206) ==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606) ==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312) ==26018== by 0x401479: test_json (nft-parsing-test.c:129) ==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26018== by 0x400EBB: main (nft-parsing-test.c:332) ==26018== Address 0x5c34a68 is 4 bytes after a block of size 4 alloc'd ==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== ==26018== Invalid read of size 8 ==26018== at 0x4E484F5: nft_rule_expr_target_set (target.c:46) ==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73) ==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185) ==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206) ==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606) ==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312) ==26018== by 0x401479: test_json (nft-parsing-test.c:129) ==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26018== by 0x400EBB: main (nft-parsing-test.c:332) ==26018== Address 0x5c34a70 is 12 bytes after a block of size 4 alloc'd ==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== ==26018== Invalid read of size 4 ==26018== at 0x4E484FD: nft_rule_expr_target_set (target.c:46) ==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73) ==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185) ==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206) ==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606) ==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312) ==26018== by 0x401479: test_json (nft-parsing-test.c:129) ==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26018== by 0x400EBB: main (nft-parsing-test.c:332) ==26018== Address 0x5c34a78 is 20 bytes after a block of size 4 alloc'd ==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Fix a memory leakAna Rey2014-04-141-0/+2
| | | | | | | | | | | | | | Free nft_parse_err struct when there is an error in execute_test function. It solves the following memory leak shown by valgrind. ==7845== 24 bytes in 1 blocks are still reachable in loss record 1 of 2 ==7845== at 0x4C29590: calloc (vg_replace_malloc.c:618) ==7845== by 0x401740: execute_test_file (nft-parsing-test.c:249) ==7845== by 0x400EBB: main (nft-parsing-test.c:330) Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add support to check a json or xml testfileAna Rey2014-04-141-1/+47
| | | | | | | | | | Add new command-line argument "-f <file>" to check a json or xml testfile. ./nft-parsing-test -f <file> Check this testfile. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: New tools to update xml and json testfilesAna Rey2014-04-141-6/+36
| | | | | | | | | | | | | New tools to updata testfiles when the structure of xml or json files are changed. It adds a new command-line argument in nft-parsing-test. With nft-parsing-test -u <directory>, you can update test files in <directory> with a new structure of xml or json file. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xml, json: Delete an immediatedate label in xml and json fileAna Rey2014-04-1410-19/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It deletes the immediatedata label in the structure of json and xml file. Example of the old structure of xmlfile: <nftables> <rule> <family>ip</family> <table>filter</table> <chain>input</chain> <handle>32</handle> <expr type="immediate"> <dreg>0</dreg> <immediatedata> <data_reg type="verdict"> <verdict>accept</verdict> </data_reg> </immediatedata> </expr> </rule> </nftables> Example of the new structure of xmlfile: <nftables> <rule> <family>ip</family> <table>filter</table> <chain>input</chain> <handle>32</handle> <expr type="immediate"> <dreg>0</dreg> <data_reg type="verdict"> <verdict>accept</verdict> </data_reg> </expr> </rule> </nftables> To generate the new testfiles, It use the option -u of nft-parsing-test script. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xml, json: Delete a cmpdata label in xml and json fileAna Rey2014-04-1472-91/+77
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It delete the cmpdata label in the structure of json and xml file. Example of xmlfile: The old structure of xml file: [...] <expr type="cmp"> <sreg>1</sreg> <op>eq</op> <cmpdata> <data_reg type="value"> <len>4</len> <data0>0x0100a8c0</data0> </data_reg> </cmpdata> </expr> The new structure of json file: [...] <expr type="cmp"> <sreg>1</sreg> <op>eq</op> <data_reg type="value"> <len>4</len> <data0>0x0100a8c0</data0> </data_reg> </expr> [...] To generate the new testfiles, It use the option -u of nft-parsing-test script. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: complete nft-events exampleArturo Borrero2014-04-071-0/+60
| | | | | | | | Complete nft-events example by adding a basic set & set_elem event notification. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix bogus assertion for unset attributesPablo Neira Ayuso2014-04-075-18/+20
| | | | | | | | | | | | If you try to obtain an unset attribute, you hit an assertion error that should not happen. Fix this by checking if the attribute is unset, otherwise skip the assertion checking. Now that we have that nft_assert takes the data parameter, we can also validate if someone is using the setter passing NULL, which is illegal. So let's add an assertion for that as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: parse family from Netlink messageArturo Borrero2014-04-071-0/+3
| | | | | | | Lets obtain the family from the Netlink message. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Use getopt_long to parse the command-line arguments.Ana Rey2014-04-072-10/+51
| | | | | | | | Use getopt_long to parse the command-line arguments and prepare it to add new arguments in next patches. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: remove nft-rule-insert from Makefile.amPablo Neira Ayuso2014-03-281-3/+0
| | | | | | This example doesn't exist anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elems: delete unexisting exported symbolArturo Borrero2014-03-263-4/+0
| | | | | | | There is no function called 'nft_set_elem_nlmsg_parse()' Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: don't enforce attributes when parsingÁlvaro Neira Ayuso2014-03-171-41/+31
| | | | | | | | This change allow us to parser the rule and the kernel bail out if the rule is well-formed. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: don't print unset attributesÁlvaro Neira Ayuso2014-03-171-13/+79
| | | | | | | | | | | | | | | | | | | | We print some attribute that maybe the user hasn't defined for printing. We can't assume that the user want to print some attribute that we have put mandatory in the rules. Example: If we have defined family, the output is like that: {"rule":{"family":"ip","handle":4... <rule><family>ip</family><handle>4</handle>... And this if we unset the family. {"rule":{"handle":4... <rule><handle>4</handle>... Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-del: removed printf rule functionÁlvaro Neira Ayuso2014-03-081-4/+0
| | | | | | | | | | | | | Removed this code because with that we have a strange output. Example: we have a rule with handle 4 and we execute nft-rule-del ip filter input 4 Output: unknown filter input 4 0 Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-insert: fix and merge it to nft-rule-addÁlvaro Neira Ayuso2014-03-083-208/+12
| | | | | | | | Merged the example for inserting rules and fixed for using the correct header. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-del: fix missing batching headersÁlvaro Neira Ayuso2014-03-081-4/+39
| | | | | | | | | Fix the example for deleting rules. Before this patch, the program tried to delete the rule without using the correct header. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add NFT_RULE_ATTR_USERDATA supportPablo Neira Ayuso2014-02-273-2/+62
| | | | | | This allows us to manipulate the user data area of the rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: check if netlink parsing failsArturo Borrero2014-02-276-11/+32
| | | | | | | | We have to check if mnl_attr_parse() returns an error, which means that it failed to validate and retrieve the attributes. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* example: nft-rule-add: simplify examplePablo Neira Ayuso2014-02-271-57/+29
| | | | | | The nft_mnl_batch_talk() is overly complicated for a simple example that just adds one single rule. Simplify this to prepare the merge of nft-rule-insert, which looks very similar.
* include: get linux/netfilter/nf_tables.h in sync with kernel headerPablo Neira Ayuso2014-02-271-1/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix wrong type in NFT_ATTR_*_FAMILYPablo Neira Ayuso2014-02-278-26/+26
| | | | | | This fixes assertions in the test files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_attr_{set|get}_data interfacePablo Neira Ayuso2014-02-2711-28/+212
| | | | | | | | | | | | This patch adds two functions that allows you to validate the size of the attribute. This new functions provide a replacement for nft_rule_attr_set and nft_rule_attr_get. The data_len parameter was already passed to the {_set|_get} funcion in expressions. For consistency, add nft_rule_expr_{set|get}_data alias. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add assertion infrastructure to validate attribute typesPablo Neira Ayuso2014-02-272-0/+20
| | | | | | | This will be used to validate that the size is correct according to the expected attribute size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: early attribute type validation in nft_*_attr_setPablo Neira Ayuso2014-02-278-11/+23
| | | | | | | | This allows us to remove the default case in the switch, which show help to spot missing attribute support since gcc will spot a compilation warning. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add conntrack label match supportFlorian Westphal2014-02-182-2/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: compile queue expression supportPablo Neira Ayuso2014-02-172-8/+14
| | | | | | | This got lost in 29fd6a1df9 when merging major changes in master to next-3.14. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: print usage counter for base chain via default output as wellPablo Neira Ayuso2014-02-111-4/+4
| | | | | | | For some reason this was only printed in custom chains. Print it for any chain, this is useful for debugging purposes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'master' into next-3.14Pablo Neira Ayuso2014-02-03217-1474/+2193
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch includes changes to adapt this branch to the library rename that happened in the master branch. Conflicts: src/Makefile.am src/expr/cmp.c src/expr/ct.c src/expr/data_reg.c src/expr/meta.c tests/jsonfiles/01-table.json tests/jsonfiles/02-table.json tests/jsonfiles/64-ruleset.json tests/xmlfiles/01-table.xml tests/xmlfiles/02-table.xml
| * include: add cached copy of linux/kernel.hPablo Neira Ayuso2014-01-221-0/+29
| | | | | | | | | | | | | | | | | | | | | | This fixes the following compilation warning when compiling with old kernel headers. CC expr/target.lo expr/target.c: In function ‘nft_rule_expr_target_build’: expr/target.c:127: warning: implicit declaration of function ‘__ALIGN_KERNEL’ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * include: add stdint.h to common.hArturo Borrero2014-01-211-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | This fixes: /usr/local/include/libnftnl/common.h:25:49: error: unknown type name ‘uint16_t’ /usr/local/include/libnftnl/common.h:25:63: error: unknown type name ‘uint16_t’ /usr/local/include/libnftnl/common.h:26:10: error: unknown type name ‘uint16_t’ /usr/local/include/libnftnl/common.h:26:25: error: unknown type name ‘uint32_t’ Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * build: fix final report after configurationPablo Neira Ayuso2014-01-211-6/+8
| | | | | | | | | | | | | | | | | | | | | | If no xml/json support is explicitly enabled, the final report does not show "no". This patch fixes this: libnftnl configuration: XML support: no JSON support: no Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * build: resolve compile error involving XT_EXTENSION_MAXNAMELENJan Engelhardt2014-01-211-0/+185
| | | | | | | | | | | | | | | | 2.6.32 headers in /usr/include/linux again. Ship a copy of x_tables.h from Linux 3.11. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * build: resolve build failure involving linux/netlink.hJan Engelhardt2014-01-211-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This was seen with a sufficiently-old /usr/include/linux (from Linux 2.6.32). In file included from common.c:10: /usr/include/linux/netlink.h:34: error: expected specifier-qualifier-list before 'sa_family_t' The solution is to include <linux/*> last of all system headers. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * build: Ensure pkg-config file provides the right informationsTomasz Bursztyka2014-01-201-4/+4
| | | | | | | | | | | | | | It's not -lnftables anymore but -lnftnl (among other details) Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * rename library to libnftnllibnftnl-1.0.0Pablo Neira Ayuso2014-01-2092-247/+247
| | | | | | | | | | | | We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: ct: fix compilation warning when json/xml support is missingPablo Neira Ayuso2014-01-201-1/+1
| | | | | | | | | | | | | | CC expr/ct.lo expr/ct.c:194:12: warning: 'str2ctdir' defined but not used [-Wunused-function] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * ct: use a string with 'dir' attributeArturo Borrero2014-01-1812-22/+59
| | | | | | | | | | | | | | | | | | This patch implements a string to represent directions in the CT expression: * original (0) * reply (1) Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * data_reg: fix verdict format approachArturo Borrero2014-01-185-97/+110
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Patrick reports that the XML/JSON formats of the data_reg object are not accuarate. This patch updates these formats, so they are now as follow: * <data_reg type=value> with raw data (this doesn't change). * <data_reg type=verdict> with a concrete verdict (eg drop accept) and an optional <chain>, with destination. In XML: <data_reg type="verdict"> <verdict>goto</verdict> <chain>output</chain> </data_reg> In JSON: "data_reg" : { "type" : "verdict", "verdict" : "goto" "chain" : "output", } The default output format is updated to reflect these changes (minor collateral thing). When parsing set_elems, to know if we need to add the NFT_SET_ELEM_ATTR_CHAIN flag, a basic check for the chain not being NULL is done, instead of evaluating if the result of the parsing was DATA_CHAIN. The DATA_CHAIN symbol is no longer used in the data_reg XML/JSON parsing zone. While at it, I updated the error reporting stuff regarding data_reg/verdict, in order to leave a consistent state in the library. A JSON testfile is updated as well. Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>