libnftnl - nftables netlink library

	Commit message (Collapse)	Author	Age	Files	Lines
*	examples: nft-chain-get: allow to list chain from all families	Pablo Neira Ayuso	2013-07-18	1	-23/+23
\| \| \| \| \| \|	So far, it was restricted to AF_INET. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	examples: add arp support	Pablo Neira Ayuso	2013-07-18	15	-60/+103
\| \| \| \| \| \|	While at it, convert all examples to use NFPROTO_*. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	utils: ARP family is number 3	Pablo Neira Ayuso	2013-07-18	1	-1/+1
\| \| \| \| \| \| \|	Netfilter uses family number 3 for ARP since AF_ARP does not exists. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	chain: json: fix wrong display of table and family	Álvaro Neira Ayuso	2013-07-18	1	-2/+2
\| \| \| \| \| \| \| \| \|	In (74ccff7 chain: json: use string to identify policy), the json support for chain was unintentionally swapping the table name and the family. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: add nft_*_list_add_tail	Pablo Neira Ayuso	2013-07-16	9	-4/+36
\| \| \| \| \| \| \|	This redefines the meaning of nft_*_list_add to prepend, before this patch it was appending, which was semantically wrong. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	chain: json: use string to identify policy	Álvaro Neira Ayuso	2013-07-16	1	-26/+40
\| \| \| \| \| \| \| \| \|	* if we don't have hooknum we don't need to print the policy tag * If we have hooknum, i have used the policy2str function for printing the policy with "accept" string or "drop" string Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	set: json: fix incomplete output	Álvaro Neira Ayuso	2013-07-16	3	-28/+46
\| \| \| \| \| \| \| \| \| \| \|	In (bf39c53 set: add json output), the json support for sets was incomplete: * version, family, key_type, key_len, data_type, data_len were not included. * Now I use nft_data_reg_snprintf for printing the key and data Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	expr: limit: fix getter	Pablo Neira Ayuso	2013-07-15	1	-4/+6
\| \| \| \| \| \|	Set missing data length via getter, otherwise it returns zero. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: add nft_*_list_is_empty() functions	Arturo Borrero	2013-07-15	9	-0/+32
\| \| \| \| \| \| \| \| \|	This functions check if a given nft_*_list is empty or not. I found this quite useful while working with a full ruleset. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	include: update include/linux/netfilter/nf_tables.h	Pablo Neira Ayuso	2013-07-13	1	-3/+211
\| \| \| \| \| \|	Get it in sync with the current kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	expr: add nft_expr_data to replace explicit casting to obtain expression data	Pablo Neira Ayuso	2013-07-13	16	-98/+97
\| \| \| \|	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	expr: use __attribute__((constructor)) to register expression	Pablo Neira Ayuso	2013-07-13	18	-39/+89
\| \| \| \| \| \|	Instead of manual array registration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	examples: nft-{table,chain,rule}-xml-add: fix missing NLM_F_CREATE	Pablo Neira Ayuso	2013-07-10	3	-20/+22
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Thus, automodule loading was not working. While at it, apply not so relevant comestic cleanups and fix some inconsistencies between examples. * Fix copyright header, this is code heavily based on existing nft--add examples. Remove unrequired extern struct nft_table definition. * Make sure we close file descriptor once we don't need it anymore. * Remove unrequired casting. * Remove comment that provides nothing interesting. I considered a patch to address each on those was too much burden. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	expr: payload: fix incorrect length and base in default output	Eric Leblond	2013-07-10	1	-2/+2
\| \| \| \| \| \| \| \|	This patch fixes an accidental swapping of the dreg and length payload fields. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	examples: remove LIBXML_LIBS from LDADD	Pablo Neira Ayuso	2013-07-10	1	-21/+21
\| \| \| \| \| \| \| \|	Remove it from the example files, we don't need it. There is no explicit reference to any of the libmxml functions in those files, so the linker does not need that library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	expr: payload: fix printing of base	Pablo Neira Ayuso	2013-07-09	1	-2/+16
\| \| \| \| \| \| \|	In (f95e859 src: improve default text output), it assumes all bases are network, but we may have link and transport as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	bitwise: xml: export len node	Arturo Borrero	2013-07-08	2	-2/+4
\| \| \| \| \| \| \|	Fix missing length, it was not being exported in XML. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
*	set: add xml output	Arturo Borrero	2013-07-06	6	-5/+114
\| \| \| \| \| \| \|	This patch adds XML output for sets. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: xml: consolidate parsing of data_reg via nft_mxml_data_reg_parse	Arturo Borrero	2013-07-06	5	-80/+74
\| \| \| \| \| \| \| \|	Move common code for XML parsing of data_reg to the new nft_mxml_data_reg_parse function. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	examples: nft-table-get: add json support	Álvaro Neira Ayuso	2013-07-06	1	-5/+22
\| \| \| \| \|	Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	set: add json output	Álvaro Neira Ayuso	2013-07-06	5	-14/+128
\| \| \| \| \| \| \|	This patch allows you to dump set and their content in json format. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	set: fix printing of key and data registers	Pablo Neira Ayuso	2013-07-06	1	-2/+2
\| \| \| \|	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: expr: data_reg: fix printing data register content	Pablo Neira Ayuso	2013-07-05	2	-6/+6
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Before: ip filter output 41 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 ] Now: ip filter output 41 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] ^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: improve default text output	Giuseppe Longo	2013-07-05	21	-59/+86
\| \| \| \| \| \| \| \| \| \| \| \| \|	This patch improves default plain text output by mimicing the default output of libnl-nft. While at it, several %lu has been translated to use %"PRIu64" for correctness. [ I have added the policy to string translation --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: xml: fix compilation without XML parsing enabled	Pablo Neira Ayuso	2013-07-04	2	-0/+6
\| \| \| \| \| \| \| \|	Since (d844fa0 src: consolidate XML parsing of expressions via nft_mxml_expr_parse), the library was not compiling with XML support anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: consolidate XML parsing of expressions via nft_mxml_reg_parse	Pablo Neira Ayuso	2013-07-04	11	-202/+102
\| \| \| \|	This patch reduces the XML code in 100 LOC.
*	src: consolidate XML parsing of expressions via nft_mxml_expr_parse	Pablo Neira Ayuso	2013-07-04	21	-431/+132
\| \| \| \| \| \| \| \| \|	Move common code for XML parsing of expressions to the new nft_mxml_expr_parse function. This patch reduces the XML parsing code in 300 LOC. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	expr: ct: fix setting of NFT_EXPR_CT_DIR	Arturo Borrero Gonzalez	2013-07-04	1	-1/+1
\| \| \| \| \|	Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	expr: Fix header inclusion for integer types	Tomasz Bursztyka	2013-07-03	1	-0/+1
\| \| \| \| \|	Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	examples: add JSON support	Álvaro Neira Ayuso	2013-06-29	1	-1/+4
\| \| \| \| \| \| \|	By specifying 'json' as first parameter. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: support JSON format in chain, rule and expressions	Álvaro Neira Ayuso	2013-06-29	21	-42/+402
\| \| \| \| \| \| \|	While at it, order possible switch cases of _snprintf. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	tests: nft-parsing-test: restore default terminal color after test	Pablo Neira Ayuso	2013-06-27	1	-2/+2
\| \| \| \|	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	tests: remove several wrong XML nodes in tests	Pablo Neira Ayuso	2013-06-27	3	-6/+1
\| \| \| \|	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	test: add testbench for XML	Arturo Borrero Gonzalez	2013-06-27	29	-416/+316
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This patch add a testbench for XML parsing, which may be extended to test JSON as well. To use it: $ cd test/ $ make nft-parsing-test $ ./nft-parsing-test xmlfiles/ This testbench supersedes old .sh test scripts, so they are deleted. [ I have mangled this patch to rename/mangle files, to colorize the test output and not to compile XML inconditionally --pablo ] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	exthdr: xml: rename type node to exthdr_type	Arturo Borrero Gonzalez	2013-06-27	1	-3/+5
\| \| \| \| \| \| \|	This patch renames the <type> node in the exthdr expr to <exthdr_type>. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	nat: xml: rename node type to nat_type	Arturo Borrero Gonzalez	2013-06-27	1	-4/+4
\| \| \| \| \| \| \| \| \|	This patch renames the node <type> to a more explicit <nat_type>. This will prevent in the future from confusing other <type> nodes from other exprs. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	nat: snprintf: fix buffer offset	Arturo Borrero Gonzalez	2013-06-27	1	-3/+3
\| \| \| \| \| \| \|	This patch fix the buffer offset necesary to print correctly the nat expr in a default output mode. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	meta: xml: use string to represent key attribute	Arturo Borrero Gonzalez	2013-06-27	2	-6/+50
\| \| \| \| \| \| \|	Use a string for <key> node instead of a number. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	exthdr: xml: use string for type node	Arturo Borrero Gonzalez	2013-06-27	1	-5/+47
\| \| \| \| \| \| \|	This patch implements using a string for the <type> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	payload: xml: use string for base attribute	Arturo Borrero Gonzalez	2013-06-27	2	-12/+49
\| \| \| \| \| \| \|	This patch implements using a string instead of a number for the <base> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	target&match: xml: don't print rev number	Arturo Borrero Gonzalez	2013-06-27	3	-42/+2
\| \| \| \| \| \| \| \|	The <rev> node is not printed/parsed anymore. It should not be exported, this is negotiated with the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	data_reg: xml: display register in big endian	Arturo Borrero Gonzalez	2013-06-27	1	-3/+5
\| \| \| \| \| \| \| \| \| \|	Display registers in big endian, so the output will be the same in different endianness CPU. <data>0xaabbccdd</data> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	data_reg: xml: fix len node, it should show byte length	Arturo Borrero Gonzalez	2013-06-27	2	-11/+10
\| \| \| \| \| \| \| \|	Previous to this patch, the <len> node was 'how many <dataN> nodes we have'. However, the <len> node means 'how many bytes are in <dataN> nodes'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	chain: xml: use string for policy	Arturo Borrero Gonzalez	2013-06-27	2	-19/+38
\| \| \| \| \| \| \|	Now the <policy> node is using "accept" or "drop". Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	exthdr: xml: fix mandatory elements	Arturo Borrero Gonzalez	2013-06-27	1	-40/+55
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	According to net/netfilter/nft_exthdr.c: nft_exthdr_init(), all of dreg, type, offset and len are mandatory: if (tb[NFTA_EXTHDR_DREG] == NULL \|\| tb[NFTA_EXTHDR_TYPE] == NULL \|\| tb[NFTA_EXTHDR_OFFSET] == NULL \|\| tb[NFTA_EXTHDR_LEN] == NULL) return -EINVAL; So the XML parser must make sure the equivalent nodes exists. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	ct: xml: use key names instead of numbers	Arturo Borrero Gonzalez	2013-06-27	1	-7/+48
\| \| \| \| \| \| \|	ct expr uses a string instead of a numerical one in the <key> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	ct: xml: add extra dir check	Arturo Borrero Gonzalez	2013-06-27	1	-0/+6
\| \| \| \| \| \| \| \| \| \| \| \| \|	This patch adds an extra dir check. 0 means original. 1 means a reply. Pablo decided not to include nf_conntrack_tuple_common.h, instead internally defined them. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	nat: xml: fix node names for sreg_addr_{min\|max}	Arturo Borrero Gonzalez	2013-06-27	1	-6/+6
\| \| \| \| \| \| \| \| \|	This patch changes the name of XML nodes from <sreg_addr_min_v4> to <sreg_addr_min>, and <sreg_addr_max_v4> to <sreg_addr_max>, as they are register numbers, not addresses, so they are protocol independent. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	nat: xml: change nat types string to dnat/snat	Arturo Borrero Gonzalez	2013-06-27	1	-14/+11
\| \| \| \| \| \| \| \|	This patch replaces the string NFT_NAT_{S\|D}NAT with {s\|d}nat in the <type> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: xml: convert family values to string	Arturo Borrero	2013-06-27	10	-47/+99
\| \| \| \| \| \| \| \| \| \| \| \|	This patch translates family values to display a string: * ip if AF_INET * ip6 if AF_INET6 * bridge if AF_BRIDGE * arp if 0 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>