summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* src: consolidate netlink build header functionPablo Neira Ayuso2013-11-2413-115/+48
| | | | | | | | | Add new function nft_nlmsg_build_hdr which consolidates all existing functions to build headers per object. They basically look the same. This patch still provides aliases for consistency in the naming approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix possible clash in ifdef namespacePablo Neira Ayuso2013-11-247-20/+20
| | | | | | | | Use _LIBNFTABLES_ prefix to avoid possible clash with headers that are defined in other libraries that may be used by third party applications. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add unit tests for libnftablesAna Rey2013-11-2022-1/+2122
| | | | | | | | | | | | | | | | | | | | | These tests create an initial object 'a' whose attributes are set to arbitrary values. Then, that object is converted to a Netlink message which is parsed to obtain the object 'b'. If things go well, the original object 'a' and the transformed object 'b' should be equivalent. Thus, we make sure that object transformations through the main library APIs are correct. These tests have helped to catch the following bugs in this library: (3cf788a72 expr: fix leak in target and match expressions) (4182e574f expr: match: fix wrong flag setting in nft_rule_expr_match_parse) (0bec6bc5e expr: log: release prefix) (2b690deea expr: log: fix missing \0 when sending log prefix to kernel) (e55c7afcf expr: target: fix wrong info length in nft_rule_expr_target_parse) (8fc4d4bd2 expr: log: fix wrong attribute type in nft_rule_expr_log_parse) Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table/chain: add u8 setter and getter for family valuesAna Rey2013-11-205-0/+34
| | | | | | | These are needed to set the family value for chain and table. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix wrong attribute type in nft_rule_expr_log_parseAna Rey2013-11-191-1/+1
| | | | | | | | I fixed it by using the correct value. Signed-off-by: Ana Rey <anarey@gmail.com> Acked-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: target: fix wrong info length in nft_rule_expr_target_parseAna Rey2013-11-191-1/+1
| | | | | | | | | | | | | If I run my automatic unit test of libnftable, It shows: ERROR: Expr NFT_EXPR_TG_INFO size mismatches size a: 32 b: 36 The problem was in nft_rule_expr_target_parse function. With the attached patch, we use mnl_attr_get_payload_len() in instead of mnl_attr_get_len(). Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix missing \0 when sending log prefix to kernelAna Rey2013-11-191-1/+1
| | | | | | | | | | | | | | | | If I run my automatic unit test for libnftables, It shows: "ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches" a: test b: test ^^ garbage The problem was in nft_rule_expr_log_build function. With the attached patch, we use mnl_attr_put_strz() instead of mnl_attr_put_str() as in other functions in the library. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: release prefixPablo Neira Ayuso2013-11-181-0/+8
| | | | | | | | | Ana Rey reported a leak in the log expression. Fix it by using the new .free interface added in (3cf788a expr: fix leak in target and match expressions). Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: match: fix wrong flag setting in nft_rule_expr_match_parsePablo Neira Ayuso2013-11-181-3/+3
| | | | | | | Expression flags were incorrectly set. Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix make distcheckPablo Neira Ayuso2013-11-184-2/+5
| | | | | | | | | | Fix missing files that were not included in the tarball that distcheck generates. This also includes AC_EXEEXT, otherwise configure complains about undefined CHECK_GCC_FVISIBILITY. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: fix leak in target and match expressionsPablo Neira Ayuso2013-11-184-0/+20
| | | | | | | | | | | Release internal data area for match and target expressions. ==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==30104== by 0x400C2F: main (nft-expr_match-test.c:65) Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unify parse and output typesÁlvaro Neira Ayuso2013-11-1444-245/+207
| | | | | | | | | Unify parse and output types that are redundant to all existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT] are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML]. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: json: remove rule flags in ruleset test fileÁlvaro Neira Ayuso2013-11-141-1/+1
| | | | | | | | It should have been done in (2cba099 rule: remove NFT_RULE_ATTR_FLAGS). Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix reference to undefined symbolArturo Borrero2013-11-081-4/+4
| | | | | | | Kill reference to undefined symbol. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve build errors in dependent programsJan Engelhardt2013-11-056-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | The headers do not compile standalone which may cause compilation problems to third party programs. $ gcc -x c -Wall -c *.h chain.h:62:35: error: unknown type name ‘size_t’ expr.h:40:39: error: unknown type name ‘size_t’ rule.h:60:34: error: unknown type name ‘size_t’ ruleset.h:20:1: error: unknown type name ‘bool’ ruleset.h:20:59: error: unknown type name ‘uint16_t’ ruleset.h:21:52: error: unknown type name ‘uint16_t’ ruleset.h:22:50: error: unknown type name ‘uint16_t’ ruleset.h:23:63: error: unknown type name ‘uint16_t’ ruleset.h:39:37: error: unknown type name ‘size_t’ ruleset.h:39:80: error: unknown type name ‘uint32_t’ ruleset.h:39:95: error: unknown type name ‘uint32_t’ set.h:40:33: error: unknown type name ‘size_t’ set.h:110:38: error: unknown type name ‘size_t’ table.h:50:35: error: unknown type name ‘size_t’ Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve automake 1.12 warningJan Engelhardt2013-11-051-0/+1
| | | | | | | ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix a build issue on header inclusion in internal.hTomasz Bursztyka2013-11-051-0/+1
| | | | | | | | | | | | Fixes: In file included from utils.c:11:0: ./internal.h:93:17: error: unknown type name 'FILE' int nft_fprintf(FILE *fp, void *obj, uint32_t type, uint32_t flags, int (*snprintf_cb)(char *buf, size_t bufsiz, void *obj, uint32_t type, uint32_t flags)); Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: report compilation without supportArturo Borrero2013-11-031-2/+2
| | | | | | | | | Print a message when there is no support for some parser. Remove those EOPNOTSUPPs because they are unused. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: report errors building XML treeArturo Borrero2013-11-031-2/+8
| | | | | | | Report error when building XML tree. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: fix memleak in XML testingArturo Borrero2013-11-031-0/+2
| | | | | | | Ensure the tree is freed when done. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: return EXIT_FAILURE if some error was foundArturo Borrero2013-11-031-4/+11
| | | | | | | Before this patch, 0 was returned unconditionally. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fprintf API functionsArturo Borrero2013-11-0314-0/+317
| | | | | | | | | | | | | | Now it's possible to print directly from libnftables to a file or other stream. The caller must explicitly print the trailing '\n' in this call. The error reporting of fprintf (< 0) is respected. However, we have already print some information in case that the default (plain text) output is used, that output is mostly intended for debugging so it should not be a problem. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: refactorize json/xml taggingArturo Borrero2013-11-031-53/+54
| | | | | | | | This factorization of JSON/XML open & close tag allows reutilice code in future patches (for example, the fprintf API functions). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xml: fix truncated ruleset testfileArturo Borrero2013-10-281-1/+1
| | | | | | | | | | | Give a new XML ruleset testfile. For some reason patchwork has truncated the file? This should have been fixed in (b7c39a7 test: xml: fix malformed ruleset testfile). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix missing struct nlmsghdr without definitionPablo Neira Ayuso2013-10-274-0/+8
| | | | | | | | | The definition of this structure belongs to the scope of linux/netlink.h. Based on patch from Jan Engelhardt. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix possible null pointer dereference in nft_*_attr_get_*Phil Oester2013-10-272-8/+8
| | | | | | | | | | | | | | As reported by John Sager, nft_set_attr_get_u32 can cause a segfault because nft_set_attr_get can return NULL. Check for a non-NULL pointer before dereferencing. This closes netfilter bugzilla #868. [ I have mangled this patch to solve possible null pointer dereference with get operations with rule objects --pablo ] Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: update to fit latest limit changesArturo Borrero2013-10-272-2/+2
| | | | | | | | Update tests to fit the latest limit changes in commit [e91ea14] (expr: limit: operational limit match) Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add rejectPablo Neira Ayuso2013-10-273-0/+219
| | | | | | | This patch adds support for the reject expression. Tested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: remove NFT_RULE_ATTR_FLAGSPablo Neira Ayuso2013-10-2797-120/+97
| | | | | | | This is a leftover from the time we had per rule flags, obsoleted by the new rule batching approach. Kill it as it is unused. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: xml: fix malformed ruleset testfileArturo Borrero2013-10-271-1/+1
| | | | | | | | | | | | | | Give a new XML ruleset testfile. For some reason, the previous was truncated. This passed silently as nft-parsing-test is not reporting some errors properly. This new file provides: * 2 tables * 3 chains * 2 sets, with and without maps * 3 rules with mixed exprs Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: s/seconds/second/Florian Westphal2013-10-221-1/+1
| | | | | | my fault, spotted by Phil Oester. Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: limit: avoid huge rodata arrayPablo Neira Ayuso2013-10-221-8/+13
| | | | | | | | | | commit 10e0890e ('src: operational limit match') creates huge array, increasing libnftables binary size. Use switch statement instead. Based on patch from Florian Westphal, for nft. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: operational limit matchPhil Oester2013-10-223-25/+32
| | | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix access after free in case of parsing errorsPablo Neira Ayuso2013-10-211-1/+3
| | | | | | If this fails to parse a set element, stop the processing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: remove spacesÁlvaro Neira Ayuso2013-10-1773-143/+139
| | | | | | | | | | | | Remove all the spaces from the JSON output to reduce the size of the output string, this also provides a consistent output in table, chain, rule and set. As Stephen Hemminger suggested, better to squash the output to consume as less bytes as possible. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: fix compilation warningPablo Neira Ayuso2013-10-021-0/+1
| | | | | | | Due to missing calloc definition in stdlib.h, spotted by gcc-4.8. Reported-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add low-level ruleset APIArturo Borrero2013-10-0113-5/+925
| | | | | | | | This patch adds a low level ruleset API for libnftables. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: json: fix returned string lengthPablo Neira Ayuso2013-09-271-0/+2
| | | | | | | | Similar to (e7c068d rule: json: fix returned string length). Based on patch from Arturo. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: snprintf: fix buffer lengthsArturo Borrero2013-09-275-45/+45
| | | | | | | | Use 'len' instead of 'size' since we need the remaining unused bytes in the buffer, not its total size. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: xml: avoid code duplicationArturo Borrero2013-09-271-23/+9
| | | | | | | This patch removes 3x code duplication in the XML snprintf function. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: json: fix returned string lengthAlvaro Neira Ayuso2013-09-251-1/+3
| | | | | | | It was returning one byte more than the real string length. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-get: retrieve all sets per familyPablo Neira Ayuso2013-09-241-5/+6
| | | | | | | | | | | Likewise other nftables objects, this patch allows you to dump the sets per family. This is possible since kernel changes (netfilter: nf_tables: allow to dump all existing sets), we can get the full list of sets per family. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: json: fix wrong indentation in nft_rule_snprintf_jsonPablo Neira Ayuso2013-09-241-7/+7
| | | | | | Comestic cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: get rid of NFTA_RULE_FLAGSPablo Neira Ayuso2013-09-242-16/+0
| | | | | | | It has been removed after (netfilter: nf_tables: all rule updates are transactional). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace size_t by uint32_t in set/get interfacesPablo Neira Ayuso2013-09-1922-52/+52
| | | | | | | | | | | | This patch breaks the ABI to shrink the size parameter from 8 to 4 bytes in x86_64. The maximum length of netlink attributes is 2 bytes, so 4 bytes as attribute payload length should be enough. After this patch, size_t is only used in the nft_*_snprintf interfaces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: don't put NFTA_RULE_EXPRESSION into messagesPablo Neira Ayuso2013-09-171-4/+6
| | | | | | | | If there are no expressions in this rule, skip the NFTA_RULE_EXPRESSION attribute, otherwise it will be empty. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_delPablo Neira Ayuso2013-09-178-1/+25
| | | | | | | This allows us to delete object from the list, note that nft_chain_list_del already existed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix build errorArturo Borrero Gonzalez2013-09-161-0/+4
| | | | | | | | This declaration was missing and is needed in case you compile libnftables without XML parsing support. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: refactor XML parsing codeArturo Borrero Gonzalez2013-09-167-105/+122
| | | | | | | | | | | This patch refactors nft_*_xml_parse to provide a new intermediate function nft_mxml_parse_* which will allow us to navigate an entire XML tree containing a ruleset without xml2text2xml conversions. While at it, I added a helper to build the XML tree and validate the top node name. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* src: xml: avoid unecessary tree to text to tree conversionsArturo Borrero Gonzalez2013-09-163-195/+50
| | | | | | | | This patch avoid several tree to text to tree conversions in the XML parsing helpers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>