| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the libmxml integration in libnftnl, since we have
JSON in place and there is no need to support two at the same time.
The JSON support is much better, for example libjansson has a better
parsing error reporting.
Moreover, libmxml 2.10 breaks the integration with libnftnl somehow,
as reported in Debian bug #83870 [0].
Also, the XML support inside libnftnl has never been in good shape, with
several tiny inconsitencies.
[0] https://bugs.debian.org/838370
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Although the 'err' pointer should be interesting for users only if the
parser returned non-zero, having it point to uninitialized data is
generally a bad thing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Iterators do not modify objects which they iterate, so input pointer must
be const.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
All getters must set the memory size of the attributes, ie. this
includes the nul-termination in strings.
For references to opaque objects hidden behind the curtain, report
a zero size.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The string length must be one character longer to include the
nul-termination.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Fix nftnl_chain_set_data() with NFTNL_CHAIN_DEV.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Just in case we ever support chain with larger names in the future,
this will ensure the library doesn't break. Although I don't expect
allocating more bytes for this anytime soon, but let's be conservative
here.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Now that unsetters don't set pointers to NULL, check if the attribute is
set before trying to release it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
If the attribute is set as we already check at the beginning of this
function, then we can release the object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
And pass up an error to the caller.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
So the client can bail out of memory allocation errors. Or in case of
daemon, make sure things are left in consistent state before bailing
out.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If this attribute is not supported by the library, we should rise an
assertion so the client knows something is wrong, instead of silently
going through.
The only case I can think may hit this problem is version mismatch
between library and tools. This should not ever really happen, so better
bail out from the library itself in this case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
These functions don't modify the chain object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
These functions are passed as parameter, so we basically get nothing
with this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
flow table support needs constant object arguments to printing functions
to avoid ugly casts. While at it, also constify object arguments to message
construction, destructor and a few helper functions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Future symbols don't need backwards-compat aliases.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by valgrind:
[...]
==14065== Process terminating with default action of signal 11 (SIGSEGV)
==14065== Access not within mapped region at address 0x0
==14065== at 0x4C2C022: strlen (vg_replace_strmem.c:454)
==14065== by 0x4E41A93: nftnl_chain_set_str (chain.c:259)
==14065== by 0x4E427F7: nftnl_mxml_chain_parse (chain.c:770)
==14065== by 0x4E48F96: nftnl_ruleset_parse_chains (ruleset.c:314)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_ruleset (ruleset.c:625)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_cmd (ruleset.c:668)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse (ruleset.c:706)
==14065== by 0x4E4959A: nftnl_ruleset_do_parse (ruleset.c:734)
==14065== by 0x4013C9: test_xml (nft-parsing-test.c:166)
==14065== by 0x4016F4: execute_test (nft-parsing-test.c:214)
==14065== by 0x400EBA: main (nft-parsing-test.c:330)
[...]
While at it, fix a bit the coding style.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The function names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The constant names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
So we can use the nft_* prefix anytime soon for our upcoming higher level
library.
After this patch, the nft_* symbols become an alias of the nftnl_* symbols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch introduces the nftnl_ symbols as aliases for the existing nft_
symbols through the EXPORT_SYMBOL(...) macro.
We would like to use the nft_* prefix from our upcoming higher level library,
meanwhile with this move we avoid that old binaries break because of missing
symbol dependencies.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Free object attributes before overwrite it. Fix 'nlmsg_parse' methods of
following objects: 'table', 'chain', 'rule', 'set' and 'set_element'.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add support for the new NFT_CHAIN_ATTR_DEV attribute that indicates that the
basechain is attached to a net_device.
This partially reworks 1dd9ba1ea23c ("table: add netdev family support").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This adds support for the new 'netdev' family tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we can't do incremental updates via JSON/XML.
This patch enriches the existing output to indicate the kind of
update that you want to perform.
So, if we have a ruleset like:
table ip filter {
chain input {
type filter hook input priority 0;
}
}
The new output looks like:
{"nftables":[{"add":[{"table":{"name":"filter",...}}]}]}
^^^^^
Where we explicitly indicate that we want to add a table.
We support all the actions that we can do with nft, they are:
- Add, delete and flush tables and chains.
- Add, delete, replace and insert rules.
- Add and delete sets.
- Add and delete set elements.
- Flush ruleset.
You only need to add the command tag:
{"nftables":[{"delete":[{...}, {...},...}]}]}
^^^^^^^^
The possible command tags that you can use are "add", "delete", "insert",
"replace" and "flush".
- Flush table or chain, eg.:
{"nftables":[{"flush":[{"table":{"name":...}}]}]}
- Delete table, chain, set or rule:
{"nftables":[{"delete":[{"chain":{"name":...}]}]}
- Replace a rule (you have to specify the handle):
{"nftables":[{"replace":[{"rule":{...}}]}]}
- Insert a rule:
{"nftables":[{"insert":[{"rule":{...}}]}]}
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Currently, we create iterator without test if the list is empty. If the
list is empty, we have a crash when we set up the current element. With
this patch, we test if the list is empty before to create the iterator.
If the list is empty the iterator return NULL.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new buffer class to consolidate the existing code to export objects
in XML/JSON and use it. We save ~700 LOC with this change.
The rule and set objects are not yet consolidated. It seems this would
require some specific glue code per representation type since lists are
arranged differently.
This also consolidates the tag names, so we make sure the same are used
from XML and JSON by placing them in include/buffer.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the kernel sends us different data length for a given attribute,
stop further processing and indicate that an ABI breakage has ocurred.
This is an example of the (hypothetical) message that is shown in that
case:
nf_tables kernel ABI is broken, contact your vendor.
table.c:214 reason: Numerical result out of range
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
It changes the parse and snprintf functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Renames some variables for code readability reasons.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
It changes the parse and snprintf functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add set, unset, get, parse and build payload implementation for use value.
These changes are neeeded for a correct import/export of xml/json file
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Code refactoring to use nft_rule_expr_set_* in parse functions.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Free memory in the same function that is reserved.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch uses the flag option of each output function to print an
event wrapper string in each object.
In order to use this functionality, the caller must pass the
corresponding flags: NFT_OF_EVENT_NEW / NFT_OF_EVENT_DEL.
(I have slightly refactorized the original code to add the xml/json
header and footer --pablo).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If you try to obtain an unset attribute, you hit an assertion error
that should not happen. Fix this by checking if the attribute is
unset, otherwise skip the assertion checking.
Now that we have that nft_assert takes the data parameter, we can also
validate if someone is using the setter passing NULL, which is illegal.
So let's add an assertion for that as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We have to check if mnl_attr_parse() returns an error, which means that it
failed to validate and retrieve the attributes.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This fixes assertions in the test files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds two functions that allows you to validate the size
of the attribute. This new functions provide a replacement for
nft_rule_attr_set and nft_rule_attr_get.
The data_len parameter was already passed to the {_set|_get} funcion
in expressions. For consistency, add nft_rule_expr_{set|get}_data
alias.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This allows us to remove the default case in the switch, which
show help to spot missing attribute support since gcc will spot
a compilation warning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
For some reason this was only printed in custom chains. Print it for
any chain, this is useful for debugging purposes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch includes changes to adapt this branch to the library
rename that happened in the master branch.
Conflicts:
src/Makefile.am
src/expr/cmp.c
src/expr/ct.c
src/expr/data_reg.c
src/expr/meta.c
tests/jsonfiles/01-table.json
tests/jsonfiles/02-table.json
tests/jsonfiles/64-ruleset.json
tests/xmlfiles/01-table.xml
tests/xmlfiles/02-table.xml
|
| | |
| |
| |
| |
| |
| | |
We plan to use this library name for the higher layer library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some verdicts have a negative value.
The caller of nft_str2verdict() checking if return was < 0 clash with
enum nft_verdict.
While at it, add error reporting of invalid verdicts.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This patch adds a new API to parse rule-set expressed in XML/JSON from
a file. A new enum nft_parse_input type is added for this purpose.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The intention behind this patch is to prepare the introduction of
the new API that will allow us to parse files that contain the rule-sets
expressed in XML/JSON format. This adds the NFT_PARSE_BUFFER that
indicates that the input is provided in a buffer, which is what we
currently support.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I have added a new structure for reporting some errors in parser
that we can't cover with errno.
In this patch, we have three errors that we can't cover with errno:
NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input
NFT_PARSE_EMISSINGNODE : Missing node in our input
NFT_PARSE_EBADTYPE : Wrong type value in a node
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |/
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Add new function nft_nlmsg_build_hdr which consolidates all existing
functions to build headers per object. They basically look the same.
This patch still provides aliases for consistency in the naming
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
These are needed to set the family value for chain and table.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
