summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* set: xml: data_type/data_len are optionalArturo Borrero2014-01-151-13/+20
| | | | | | | | | | Don't print data_type and data_len if they aren't set. Also, they are optional when parsing. Printing and parsing unconditionally leads to false values and other errors. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* update COPYINGPablo Neira Ayuso2014-01-151-4/+6
| | | | | | | It includes the new FSF office address. Reported-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: fix incorrect data type for several expression object fieldsPablo Neira Ayuso2014-01-105-11/+11
| | | | | | | | | This patch fixes the incorrect data type (from uint8_t to uint32_t) in several private data area of the expressions. It also cleans up this by translating several unsigned int to uint32_t. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nft-parsing-test: use nft_ruleset_parse_file()Arturo Borrero2014-01-09112-338/+144
| | | | | | | | | | All testfiles are now enclosed in the corresponding top element, ie. * XML: <nftables>...</nftables> * JSON: {"nftables":[...]} Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add interface to parse from fileArturo Borrero2014-01-0915-2/+71
| | | | | | | | This patch adds a new API to parse rule-set expressed in XML/JSON from a file. A new enum nft_parse_input type is added for this purpose. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rework and generalize the build/parse systemArturo Borrero2014-01-099-72/+141
| | | | | | | | | | | The intention behind this patch is to prepare the introduction of the new API that will allow us to parse files that contain the rule-sets expressed in XML/JSON format. This adds the NFT_PARSE_BUFFER that indicates that the input is provided in a buffer, which is what we currently support. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add json parsing to APIArturo Borrero2014-01-084-5/+27
| | | | | | | | | Add missing support in the API function to parse a JSON set_elem. I've renamed the main JSON parsing function to prevent clashing. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mxml: add error reference of the top nodeArturo Borrero2014-01-081-2/+5
| | | | | | | We know the top node we are building. Let the user also know it. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: new error reporting approach for XML/JSON parsersÁlvaro Neira Ayuso2014-01-0645-417/+757
| | | | | | | | | | | | | | I have added a new structure for reporting some errors in parser that we can't cover with errno. In this patch, we have three errors that we can't cover with errno: NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input NFT_PARSE_EMISSINGNODE : Missing node in our input NFT_PARSE_EBADTYPE : Wrong type value in a node Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename the parameter tag to node_name in jansson functionÁlvaro Neira Ayuso2014-01-032-24/+28
| | | | | | | | I have changed this parameter for having consistence with the xml helper function. This patch is a cleanup. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: properly handle --without-{xml,json}-parsingDouglas Freed2013-12-231-4/+2
| | | | | | | | | | This patch fixes how --without-{xml,json}-parsing (and subsequently --with-{xml,json}-parsing=no) is handled. Prior to this, --without-{xml,json}-parsing actually resulted in libnftables being built with that parsing enabled. Signed-off-by: Douglas Freed <dwfreed@mtu.edu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update netlink.h to 3.13Tomasz Bursztyka2013-12-121-5/+84
| | | | | | | | Use kernel header from 3.13-rc upstream kernel, this includes documentation changes that were missing. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-add: use existing batch infrastructurePablo Neira Ayuso2013-12-102-110/+152
| | | | | | | | | | | | | | This patch reworks the existing example to add the rule: nft add rule ip filter input tcp dport 22 counter It uses the existing nfnl batching approach using the generic mnl netlink message batching infrastructure. It also removed the code that uses xtables compat code. Based on original patch by Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-target: fix deprecation warningArturo Borrero2013-11-303-4/+23
| | | | | | | | | This fixes the following warning: In file included from nft-expr_target-test.c:19:0: /usr/include/linux/netfilter_ipv4/ipt_LOG.h:4:2: warning: #warning "Please update iptables, this file will be removed soon!" [-Wcpp] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: extend test-script.sh to run XML and JSON testsArturo Borrero2013-11-301-0/+2
| | | | | | | Let's test the XML/JSON parsing with test-script.sh as well. Singed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate netlink build header functionPablo Neira Ayuso2013-11-2413-115/+48
| | | | | | | | | Add new function nft_nlmsg_build_hdr which consolidates all existing functions to build headers per object. They basically look the same. This patch still provides aliases for consistency in the naming approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix possible clash in ifdef namespacePablo Neira Ayuso2013-11-247-20/+20
| | | | | | | | Use _LIBNFTABLES_ prefix to avoid possible clash with headers that are defined in other libraries that may be used by third party applications. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add unit tests for libnftablesAna Rey2013-11-2022-1/+2122
| | | | | | | | | | | | | | | | | | | | | These tests create an initial object 'a' whose attributes are set to arbitrary values. Then, that object is converted to a Netlink message which is parsed to obtain the object 'b'. If things go well, the original object 'a' and the transformed object 'b' should be equivalent. Thus, we make sure that object transformations through the main library APIs are correct. These tests have helped to catch the following bugs in this library: (3cf788a72 expr: fix leak in target and match expressions) (4182e574f expr: match: fix wrong flag setting in nft_rule_expr_match_parse) (0bec6bc5e expr: log: release prefix) (2b690deea expr: log: fix missing \0 when sending log prefix to kernel) (e55c7afcf expr: target: fix wrong info length in nft_rule_expr_target_parse) (8fc4d4bd2 expr: log: fix wrong attribute type in nft_rule_expr_log_parse) Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table/chain: add u8 setter and getter for family valuesAna Rey2013-11-205-0/+34
| | | | | | | These are needed to set the family value for chain and table. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix wrong attribute type in nft_rule_expr_log_parseAna Rey2013-11-191-1/+1
| | | | | | | | I fixed it by using the correct value. Signed-off-by: Ana Rey <anarey@gmail.com> Acked-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: target: fix wrong info length in nft_rule_expr_target_parseAna Rey2013-11-191-1/+1
| | | | | | | | | | | | | If I run my automatic unit test of libnftable, It shows: ERROR: Expr NFT_EXPR_TG_INFO size mismatches size a: 32 b: 36 The problem was in nft_rule_expr_target_parse function. With the attached patch, we use mnl_attr_get_payload_len() in instead of mnl_attr_get_len(). Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix missing \0 when sending log prefix to kernelAna Rey2013-11-191-1/+1
| | | | | | | | | | | | | | | | If I run my automatic unit test for libnftables, It shows: "ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches" a: test b: test ^^ garbage The problem was in nft_rule_expr_log_build function. With the attached patch, we use mnl_attr_put_strz() instead of mnl_attr_put_str() as in other functions in the library. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: release prefixPablo Neira Ayuso2013-11-181-0/+8
| | | | | | | | | Ana Rey reported a leak in the log expression. Fix it by using the new .free interface added in (3cf788a expr: fix leak in target and match expressions). Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: match: fix wrong flag setting in nft_rule_expr_match_parsePablo Neira Ayuso2013-11-181-3/+3
| | | | | | | Expression flags were incorrectly set. Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix make distcheckPablo Neira Ayuso2013-11-184-2/+5
| | | | | | | | | | Fix missing files that were not included in the tarball that distcheck generates. This also includes AC_EXEEXT, otherwise configure complains about undefined CHECK_GCC_FVISIBILITY. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: fix leak in target and match expressionsPablo Neira Ayuso2013-11-184-0/+20
| | | | | | | | | | | Release internal data area for match and target expressions. ==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==30104== by 0x400C2F: main (nft-expr_match-test.c:65) Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unify parse and output typesÁlvaro Neira Ayuso2013-11-1444-245/+207
| | | | | | | | | Unify parse and output types that are redundant to all existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT] are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML]. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: json: remove rule flags in ruleset test fileÁlvaro Neira Ayuso2013-11-141-1/+1
| | | | | | | | It should have been done in (2cba099 rule: remove NFT_RULE_ATTR_FLAGS). Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix reference to undefined symbolArturo Borrero2013-11-081-4/+4
| | | | | | | Kill reference to undefined symbol. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve build errors in dependent programsJan Engelhardt2013-11-056-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | The headers do not compile standalone which may cause compilation problems to third party programs. $ gcc -x c -Wall -c *.h chain.h:62:35: error: unknown type name ‘size_t’ expr.h:40:39: error: unknown type name ‘size_t’ rule.h:60:34: error: unknown type name ‘size_t’ ruleset.h:20:1: error: unknown type name ‘bool’ ruleset.h:20:59: error: unknown type name ‘uint16_t’ ruleset.h:21:52: error: unknown type name ‘uint16_t’ ruleset.h:22:50: error: unknown type name ‘uint16_t’ ruleset.h:23:63: error: unknown type name ‘uint16_t’ ruleset.h:39:37: error: unknown type name ‘size_t’ ruleset.h:39:80: error: unknown type name ‘uint32_t’ ruleset.h:39:95: error: unknown type name ‘uint32_t’ set.h:40:33: error: unknown type name ‘size_t’ set.h:110:38: error: unknown type name ‘size_t’ table.h:50:35: error: unknown type name ‘size_t’ Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve automake 1.12 warningJan Engelhardt2013-11-051-0/+1
| | | | | | | ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix a build issue on header inclusion in internal.hTomasz Bursztyka2013-11-051-0/+1
| | | | | | | | | | | | Fixes: In file included from utils.c:11:0: ./internal.h:93:17: error: unknown type name 'FILE' int nft_fprintf(FILE *fp, void *obj, uint32_t type, uint32_t flags, int (*snprintf_cb)(char *buf, size_t bufsiz, void *obj, uint32_t type, uint32_t flags)); Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: report compilation without supportArturo Borrero2013-11-031-2/+2
| | | | | | | | | Print a message when there is no support for some parser. Remove those EOPNOTSUPPs because they are unused. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: report errors building XML treeArturo Borrero2013-11-031-2/+8
| | | | | | | Report error when building XML tree. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: fix memleak in XML testingArturo Borrero2013-11-031-0/+2
| | | | | | | Ensure the tree is freed when done. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: return EXIT_FAILURE if some error was foundArturo Borrero2013-11-031-4/+11
| | | | | | | Before this patch, 0 was returned unconditionally. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fprintf API functionsArturo Borrero2013-11-0314-0/+317
| | | | | | | | | | | | | | Now it's possible to print directly from libnftables to a file or other stream. The caller must explicitly print the trailing '\n' in this call. The error reporting of fprintf (< 0) is respected. However, we have already print some information in case that the default (plain text) output is used, that output is mostly intended for debugging so it should not be a problem. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: refactorize json/xml taggingArturo Borrero2013-11-031-53/+54
| | | | | | | | This factorization of JSON/XML open & close tag allows reutilice code in future patches (for example, the fprintf API functions). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: xml: fix truncated ruleset testfileArturo Borrero2013-10-281-1/+1
| | | | | | | | | | | Give a new XML ruleset testfile. For some reason patchwork has truncated the file? This should have been fixed in (b7c39a7 test: xml: fix malformed ruleset testfile). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix missing struct nlmsghdr without definitionPablo Neira Ayuso2013-10-274-0/+8
| | | | | | | | | The definition of this structure belongs to the scope of linux/netlink.h. Based on patch from Jan Engelhardt. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix possible null pointer dereference in nft_*_attr_get_*Phil Oester2013-10-272-8/+8
| | | | | | | | | | | | | | As reported by John Sager, nft_set_attr_get_u32 can cause a segfault because nft_set_attr_get can return NULL. Check for a non-NULL pointer before dereferencing. This closes netfilter bugzilla #868. [ I have mangled this patch to solve possible null pointer dereference with get operations with rule objects --pablo ] Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: update to fit latest limit changesArturo Borrero2013-10-272-2/+2
| | | | | | | | Update tests to fit the latest limit changes in commit [e91ea14] (expr: limit: operational limit match) Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add rejectPablo Neira Ayuso2013-10-273-0/+219
| | | | | | | This patch adds support for the reject expression. Tested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: remove NFT_RULE_ATTR_FLAGSPablo Neira Ayuso2013-10-2797-120/+97
| | | | | | | This is a leftover from the time we had per rule flags, obsoleted by the new rule batching approach. Kill it as it is unused. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: xml: fix malformed ruleset testfileArturo Borrero2013-10-271-1/+1
| | | | | | | | | | | | | | Give a new XML ruleset testfile. For some reason, the previous was truncated. This passed silently as nft-parsing-test is not reporting some errors properly. This new file provides: * 2 tables * 3 chains * 2 sets, with and without maps * 3 rules with mixed exprs Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: s/seconds/second/Florian Westphal2013-10-221-1/+1
| | | | | | my fault, spotted by Phil Oester. Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: limit: avoid huge rodata arrayPablo Neira Ayuso2013-10-221-8/+13
| | | | | | | | | | commit 10e0890e ('src: operational limit match') creates huge array, increasing libnftables binary size. Use switch statement instead. Based on patch from Florian Westphal, for nft. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: operational limit matchPhil Oester2013-10-223-25/+32
| | | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix access after free in case of parsing errorsPablo Neira Ayuso2013-10-211-1/+3
| | | | | | If this fails to parse a set element, stop the processing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: remove spacesÁlvaro Neira Ayuso2013-10-1773-143/+139
| | | | | | | | | | | | Remove all the spaces from the JSON output to reduce the size of the output string, this also provides a consistent output in table, chain, rule and set. As Stephen Hemminger suggested, better to squash the output to consume as less bytes as possible. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>