| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add const qualifiers to the "to string" translation arrays used by
various *2str() functions.
This fixes GCC warnings such as the following when compiling with
-Wwrite-strings:
expr/byteorder.c:176:25: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
In order to catch these in the future, also add -Wwrite-strings to
default CFLAGS.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
So we can include the new NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the libmxml integration in libnftnl, since we have
JSON in place and there is no need to support two at the same time.
The JSON support is much better, for example libjansson has a better
parsing error reporting.
Moreover, libmxml 2.10 breaks the integration with libnftnl somehow,
as reported in Debian bug #83870 [0].
Also, the XML support inside libnftnl has never been in good shape, with
several tiny inconsitencies.
[0] https://bugs.debian.org/838370
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements the function:
bool nftnl_rule_cmp(const struct nftnl_rule *r1,
const struct nftnl_rule *r2)
for rule comparison.
Expressions within rules need to be compared, so also has been created the
function:
bool nftnl_expr_cmp(const struct nftnl_expr *e1,
const struct nftnl_expr *e2);
Also includes all expression comparators.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use NFTNL_EXPR_PAYLOAD_SREG instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
flow table support needs constant object arguments to printing functions
to avoid ugly casts. While at it, also constify object arguments to message
construction, destructor and a few helper functions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Use a shorter name for this, morever this can be used from sets so the _rule_
is misleading.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
So we can use the nft_* prefix anytime soon for our upcoming higher level
library.
After this patch, the nft_* symbols become an alias of the nftnl_* symbols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We cannot use __attribute__((constructor)) to register the supported
expressions in runtime when the library is statically linked. This lead
us to some explicit libnftnl_init() function that needs to be called
from the main() function of the client program.
This patch reverts 4dd0772 ("expr: use __attribute__((constructor)) to
register expression").
Reported-by: Laurent Bercot <ska-devel@skarnet.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The internal.h file started being a small file with private definitions.
Its size has been increasing over time more and more, so let's split
this in small header files that map to the corresponding class where the
functions belong to.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new buffer class to consolidate the existing code to export objects
in XML/JSON and use it. We save ~700 LOC with this change.
The rule and set objects are not yet consolidated. It seems this would
require some specific glue code per representation type since lists are
arranged differently.
This also consolidates the tag names, so we make sure the same are used
from XML and JSON by placing them in include/buffer.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the kernel sends us different data length for a given attribute,
stop further processing and indicate that an ABI breakage has ocurred.
This is an example of the (hypothetical) message that is shown in that
case:
nf_tables kernel ABI is broken, contact your vendor.
table.c:214 reason: Numerical result out of range
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
It changes the parse functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
|
| |
|
|
|
|
|
| |
It changes the parse and snprintf functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
functions.
Code refactoring in nft_rule_expr_payload_snprintf_* functions to get a
nft_rule_expr type instead of nft_expr_payload type. The nft_rule_expr is
needed to check information into flags variables.
Moreover, It remanes a variable from 'p' to 'payload' for code
readability reasons.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Code refactoring to use nft_rule_expr_set_* in parse functions.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
We plan to use this library name for the higher layer library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are some cases where a reg is not mandatory, for example:
* dreg in lookup
* dreg/sreg in meta (last version)
So, lets change the function nft_mxml_reg_parse() to add
an optional/mandatory flag.
dreg in lookup is optional as stated at:
net/netfilter/nft_lookup.c:nft_lookup_init()
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch fixes the incorrect data type (from uint8_t to uint32_t) in
several private data area of the expressions.
It also cleans up this by translating several unsigned int to uint32_t.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
I have added a new structure for reporting some errors in parser
that we can't cover with errno.
In this patch, we have three errors that we can't cover with errno:
NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input
NFT_PARSE_EMISSINGNODE : Missing node in our input
NFT_PARSE_EBADTYPE : Wrong type value in a node
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Unify parse and output types that are redundant to all
existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT]
are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML].
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove all the spaces from the JSON output to reduce the size
of the output string, this also provides a consistent output
in table, chain, rule and set.
As Stephen Hemminger suggested, better to squash the output to
consume as less bytes as possible.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch breaks the ABI to shrink the size parameter from 8
to 4 bytes in x86_64. The maximum length of netlink attributes
is 2 bytes, so 4 bytes as attribute payload length should be
enough.
After this patch, size_t is only used in the nft_*_snprintf
interfaces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add an optional/mandatory flag to XML parsing.
In some elements (ie regs), no flag is used because is always mandatory.
DATA_NONE is created to indicate a non-parsed data_reg.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch is a cleanup to save LOC.
I have also changed it to use < 0 to check for error conditions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch is a cleanup to save LOC.
I have also changed it to use < 0 to check for error conditions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Remove _value_ infix to make the function name smaller.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add function for parsing rules in JSON format
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use base2str instead to consolidate code in the snprintf path.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add function that will be use in the JSON parser
Signed-off-by: Alvaro Neira Ayuso Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Replace existing code to use this function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch moves common XML string parsing code to nft_mxml_str_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch refactors the getter code to simplify it. The default
cases have been removed so gcc will spot a warning if an attribute
is not handled appropriately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Instead of manual array registration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch fixes an accidental swapping of the dreg and length
payload fields.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
In (f95e859 src: improve default text output), it assumes all bases
are network, but we may have link and transport as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch improves default plain text output by mimicing the
default output of libnl-nft.
While at it, several %lu has been translated to use %"PRIu64"
for correctness.
[ I have added the policy to string translation --pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
This patch reduces the XML code in 100 LOC.
|
| |
|
|
|
|
|
|
|
| |
Move common code for XML parsing of expressions to the new
nft_mxml_expr_parse function.
This patch reduces the XML parsing code in 300 LOC.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
While at it, order possible switch cases of _snprintf.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch implements using a string instead of a number for the <base> node.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
With this patch, all expressions validate that registers are <= NFT_REG_MAX.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds capabilities for parsing a XML table/chain/rule.
Some comments:
* The XML data is case sensitive
(so <chain>asd</chain> != <chain>ASD</chain> != <CHAIN>asd</CHAIN>)
* All exported functions receive XML and return an object (table|chain|rule).
* To compile the lib with XML parsing support, run './configure --with-xml-parsing'
* XML parsing is done with libmxml (http://minixml.org). XML parsing depends
on this external lib, this dependency is optional at compile time.
NOTE: expr/target and expr/match binary data are exported.
[ Fixed to compile without --with-xml-parsing --pablo ]
Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
|
| |
Delete all \n and \t from XML output, any reasonable XML viewer
already does the nifty formatting for us.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Propagate the type and flags parameter to the expressions, so we can
implement outputs in different formats.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
