summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* test: add testbench for XMLArturo Borrero Gonzalez2013-06-2729-416/+316
| | | | | | | | | | | | | | | | | | This patch add a testbench for XML parsing, which may be extended to test JSON as well. To use it: $ cd test/ $ make nft-parsing-test $ ./nft-parsing-test xmlfiles/ This testbench supersedes old .sh test scripts, so they are deleted. [ I have mangled this patch to rename/mangle files, to colorize the test output and not to compile XML inconditionally --pablo ] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: rename type node to exthdr_typeArturo Borrero Gonzalez2013-06-271-3/+5
| | | | | | | This patch renames the <type> node in the exthdr expr to <exthdr_type>. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: rename node type to nat_typeArturo Borrero Gonzalez2013-06-271-4/+4
| | | | | | | | | This patch renames the node <type> to a more explicit <nat_type>. This will prevent in the future from confusing other <type> nodes from other exprs. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: snprintf: fix buffer offsetArturo Borrero Gonzalez2013-06-271-3/+3
| | | | | | | This patch fix the buffer offset necesary to print correctly the nat expr in a default output mode. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: xml: use string to represent key attributeArturo Borrero Gonzalez2013-06-272-6/+50
| | | | | | | Use a string for <key> node instead of a number. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: use string for type nodeArturo Borrero Gonzalez2013-06-271-5/+47
| | | | | | | This patch implements using a string for the <type> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: xml: use string for base attributeArturo Borrero Gonzalez2013-06-272-12/+49
| | | | | | | This patch implements using a string instead of a number for the <base> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* target&match: xml: don't print rev numberArturo Borrero Gonzalez2013-06-273-42/+2
| | | | | | | | The <rev> node is not printed/parsed anymore. It should not be exported, this is negotiated with the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: xml: display register in big endianArturo Borrero Gonzalez2013-06-271-3/+5
| | | | | | | | | | Display registers in big endian, so the output will be the same in different endianness CPU. <data>0xaabbccdd</data> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: xml: fix len node, it should show byte lengthArturo Borrero Gonzalez2013-06-272-11/+10
| | | | | | | | Previous to this patch, the <len> node was 'how many <dataN> nodes we have'. However, the <len> node means 'how many bytes are in <dataN> nodes'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: xml: use string for policyArturo Borrero Gonzalez2013-06-272-19/+38
| | | | | | | Now the <policy> node is using "accept" or "drop". Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: fix mandatory elementsArturo Borrero Gonzalez2013-06-271-40/+55
| | | | | | | | | | | | | | | | According to net/netfilter/nft_exthdr.c: nft_exthdr_init(), all of dreg, type, offset and len are mandatory: if (tb[NFTA_EXTHDR_DREG] == NULL || tb[NFTA_EXTHDR_TYPE] == NULL || tb[NFTA_EXTHDR_OFFSET] == NULL || tb[NFTA_EXTHDR_LEN] == NULL) return -EINVAL; So the XML parser must make sure the equivalent nodes exists. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: xml: use key names instead of numbersArturo Borrero Gonzalez2013-06-271-7/+48
| | | | | | | ct expr uses a string instead of a numerical one in the <key> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: xml: add extra dir checkArturo Borrero Gonzalez2013-06-271-0/+6
| | | | | | | | | | | | | This patch adds an extra dir check. 0 means original. 1 means a reply. Pablo decided not to include nf_conntrack_tuple_common.h, instead internally defined them. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: fix node names for sreg_addr_{min|max}Arturo Borrero Gonzalez2013-06-271-6/+6
| | | | | | | | | This patch changes the name of XML nodes from <sreg_addr_min_v4> to <sreg_addr_min>, and <sreg_addr_max_v4> to <sreg_addr_max>, as they are register numbers, not addresses, so they are protocol independent. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: change nat types string to dnat/snatArturo Borrero Gonzalez2013-06-271-14/+11
| | | | | | | | This patch replaces the string NFT_NAT_{S|D}NAT with {s|d}nat in the <type> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: convert family values to stringArturo Borrero2013-06-2710-47/+99
| | | | | | | | | | | | This patch translates family values to display a string: * ip if AF_INET * ip6 if AF_INET6 * bridge if AF_BRIDGE * arp if 0 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add hooknum2strArturo Borrero Gonzalez2013-06-272-12/+30
| | | | | | | | | This patch translates the Netfilter hooknumber to a readable string. Useful for printing and parsing in XML and JSON formats. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* byteorder: xml: op as stringArturo Borrero2013-06-271-7/+16
| | | | | | This patch changes the numerical value of the XML byteorder's <op> node to a string representation. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* expr: xml: registers must be <= NFT_REG_MAXArturo Borrero Gonzalez2013-06-279-0/+54
| | | | | | | With this patch, all expressions validate that registers are <= NFT_REG_MAX. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: xml: mask and xor use same number of data registersArturo Borrero Gonzalez2013-06-271-0/+8
| | | | | | | The mask and xor must use the same number of data registers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: xml: conditional display of compat infoArturo Borrero Gonzalez2013-06-271-29/+30
| | | | | | | | The compat XML info is now conditional both when printing and parsing. It is only used by iptables-nftables. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add nft_set_elem_attr_set_strPablo Neira Ayuso2013-06-211-0/+6
| | | | | | | It was not implemented, it was defined in the header anf map files though. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nft_rule_expr_snprintfPablo Neira Ayuso2013-06-194-2/+18
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix nft_set_elem_attr_get with NFT_SET_ELEM_ATTR_CHAINPablo Neira Ayuso2013-06-191-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix wrong flags setting in nft_set_elems_parse2Pablo Neira Ayuso2013-06-191-3/+4
| | | | | | Set element object flags instead of set flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add missing set/unset support for NFT_SET_ATTR_DATA_[TYPE|LEN]Pablo Neira Ayuso2013-06-192-2/+10
| | | | | | While at it, use fixed length uint32_t instead of size_t. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: xml: don't print target and match infoArturo Borrero2013-06-182-22/+2
| | | | | | | | This is binary layout of the iptables target/match, we can do nothing with it at this moment. Let's get rid of it. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: unset chain & rule handleArturo Borrero2013-06-182-0/+2
| | | | | | | Use _unset functions to delete handle so test don't fail. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: xml: delete trailing spaceArturo Borrero2013-06-171-1/+1
| | | | | | | This patch fixes a trailing space in rule xml_snprintf. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: fix crash during parsing if non-mandatory element is not presentArturo Borrero Gonzalez2013-06-171-4/+4
| | | | | Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: fix wrong offset in snprintfArturo Borrero2013-06-171-4/+6
| | | | | | | | This patch fixes the buffer offset of the nat snprintf function so elements are properly printed. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: bitwise: xml: fix wrong castingArturo Borrero2013-06-171-1/+1
| | | | | | | Introduced in (51370f0 src: add support for XML parsing) Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix nft_set_attr_get with NFT_SET_ATTR_KEY_FLAGSPablo Neira Ayuso2013-06-171-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix wrong flags set for NFT_SET_ELEM_ATTR_FLAGSPablo Neira Ayuso2013-06-171-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: set NFT_*_ATTR_FAMILY in nft_*_parse functionPablo Neira Ayuso2013-06-173-0/+8
| | | | | | This attribute was not approapriately set in most cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: fix nft_chain_attr_set_strPablo Neira Ayuso2013-06-171-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add stdbool.h to libnftables/expr.hPablo Neira Ayuso2013-06-171-0/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify first parameter of all nft_*_getPablo Neira Ayuso2013-06-1720-36/+47
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add NFT_SET_ATTR_FAMILYPablo Neira Ayuso2013-06-173-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_attr_is_setPablo Neira Ayuso2013-06-1712-0/+55
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_foreachPablo Neira Ayuso2013-06-1710-0/+113
| | | | | | This patch adds a simplied iterator interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add limitPablo Neira Ayuso2013-06-134-0/+221
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add byteorderPablo Neira Ayuso2013-06-124-0/+359
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add ctPablo Neira Ayuso2013-06-124-0/+256
| | | | | | This patch adds the ct expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add exthdrPablo Neira Ayuso2013-06-114-0/+302
| | | | | | | This patch adds support for the exthdr expression of nftables that is implemented in linux/net/netfilter/nft_exthdr.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix missing interlibrary dependencyPablo Neira Ayuso2013-06-111-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add log expressionPablo Neira Ayuso2013-06-104-0/+291
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-get: export in JSON formatAlvaro Neira Ayuso2013-06-081-1/+4
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add function to export tables in JSON formatAlvaro Neira Ayuso2013-06-083-0/+29
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>