summaryrefslogtreecommitdiffstats
path: root/src/expr
Commit message (Collapse)AuthorAgeFilesLines
* include: synchronize nf_tables.h with nftables treePablo Neira Ayuso2014-05-191-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: fix bad buffer size boundsArturo Borrero2014-05-071-5/+5
| | | | | | | | | | These calls need to use the new buffer size, instead of the size that the buffer originally had. Bugs introduced by myself at dec68741 [data_reg: fix verdict format approach]. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Add support for input and output bridge interface nameTomasz Bursztyka2014-04-241-1/+3
| | | | | | | | | Add support for dedicated bridge meta key, related to device names: - NFT_META_BRI_IIFNAME - NFT_META_BRI_OIFNAME Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* lookup: Fix an invalid readAna Rey2014-04-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports the following invalid read: $ sudo valgrind ./nft-parsing-test -f ../jsonfiles/30-rule-lookup.json ==26664== Memcheck, a memory error detector ==26664== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==26664== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info ==26664== Command: ./nft-parsing-test -f ../jsonfiles/30-rule-lookup.json ==26664== ==26664== Invalid read of size 8 ==26664== at 0x4E45490: nft_rule_expr_lookup_set (lookup.c:50) ==26664== by 0x4E40B04: nft_rule_expr_set (expr.c:73) ==26664== by 0x4E44FFF: nft_rule_expr_lookup_json_parse (lookup.c:157) ==26664== by 0x4E408CD: nft_jansson_expr_parse (jansson.c:206) ==26664== by 0x4E3B719: nft_jansson_parse_rule (rule.c:606) ==26664== by 0x4E3F005: nft_ruleset_do_parse (ruleset.c:312) ==26664== by 0x401479: test_json (nft-parsing-test.c:129) ==26664== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26664== by 0x400EBB: main (nft-parsing-test.c:332) ==26664== Address 0x5c34d40 is 0 bytes inside a block of size 5 alloc'd ==26664== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26664== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== ==26664== Invalid read of size 8 ==26664== at 0x4E45497: nft_rule_expr_lookup_set (lookup.c:50) ==26664== by 0x4E40B04: nft_rule_expr_set (expr.c:73) ==26664== by 0x4E44FFF: nft_rule_expr_lookup_json_parse (lookup.c:157) ==26664== by 0x4E408CD: nft_jansson_expr_parse (jansson.c:206) ==26664== by 0x4E3B719: nft_jansson_parse_rule (rule.c:606) ==26664== by 0x4E3F005: nft_ruleset_do_parse (ruleset.c:312) ==26664== by 0x401479: test_json (nft-parsing-test.c:129) ==26664== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26664== by 0x400EBB: main (nft-parsing-test.c:332) ==26664== Address 0x5c34d48 is 3 bytes after a block of size 5 alloc'd ==26664== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26664== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26664== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) Signed-off-by: Ana Rey <anarey@gmail.com>
* target, match: Fix an invalid readAna Rey2014-04-142-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports the following invalid read: $ sudo valgrind --leak-check=full ./nft-parsing-test -f ../jsonfiles/35-rule-target.json ( and similar result with jsonfiles/29-rule-match.json file) ==26018== Invalid read of size 8 ==26018== at 0x4E484E3: nft_rule_expr_target_set (target.c:46) ==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73) ==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185) ==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206) ==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606) ==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312) ==26018== by 0x401479: test_json (nft-parsing-test.c:129) ==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26018== by 0x400EBB: main (nft-parsing-test.c:332) ==26018== Address 0x5c34a60 is 0 bytes inside a block of size 4 alloc'd ==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== ==26018== Invalid read of size 8 ==26018== at 0x4E484ED: nft_rule_expr_target_set (target.c:46) ==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73) ==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185) ==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206) ==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606) ==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312) ==26018== by 0x401479: test_json (nft-parsing-test.c:129) ==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26018== by 0x400EBB: main (nft-parsing-test.c:332) ==26018== Address 0x5c34a68 is 4 bytes after a block of size 4 alloc'd ==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== ==26018== Invalid read of size 8 ==26018== at 0x4E484F5: nft_rule_expr_target_set (target.c:46) ==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73) ==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185) ==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206) ==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606) ==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312) ==26018== by 0x401479: test_json (nft-parsing-test.c:129) ==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26018== by 0x400EBB: main (nft-parsing-test.c:332) ==26018== Address 0x5c34a70 is 12 bytes after a block of size 4 alloc'd ==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== ==26018== Invalid read of size 4 ==26018== at 0x4E484FD: nft_rule_expr_target_set (target.c:46) ==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73) ==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185) ==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206) ==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606) ==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312) ==26018== by 0x401479: test_json (nft-parsing-test.c:129) ==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270) ==26018== by 0x400EBB: main (nft-parsing-test.c:332) ==26018== Address 0x5c34a78 is 20 bytes after a block of size 4 alloc'd ==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291) ==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) ==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0) Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xml, json: Delete an immediatedate label in xml and json fileAna Rey2014-04-141-10/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It deletes the immediatedata label in the structure of json and xml file. Example of the old structure of xmlfile: <nftables> <rule> <family>ip</family> <table>filter</table> <chain>input</chain> <handle>32</handle> <expr type="immediate"> <dreg>0</dreg> <immediatedata> <data_reg type="verdict"> <verdict>accept</verdict> </data_reg> </immediatedata> </expr> </rule> </nftables> Example of the new structure of xmlfile: <nftables> <rule> <family>ip</family> <table>filter</table> <chain>input</chain> <handle>32</handle> <expr type="immediate"> <dreg>0</dreg> <data_reg type="verdict"> <verdict>accept</verdict> </data_reg> </expr> </rule> </nftables> To generate the new testfiles, It use the option -u of nft-parsing-test script. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xml, json: Delete a cmpdata label in xml and json fileAna Rey2014-04-141-8/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It delete the cmpdata label in the structure of json and xml file. Example of xmlfile: The old structure of xml file: [...] <expr type="cmp"> <sreg>1</sreg> <op>eq</op> <cmpdata> <data_reg type="value"> <len>4</len> <data0>0x0100a8c0</data0> </data_reg> </cmpdata> </expr> The new structure of json file: [...] <expr type="cmp"> <sreg>1</sreg> <op>eq</op> <data_reg type="value"> <len>4</len> <data0>0x0100a8c0</data0> </data_reg> </expr> [...] To generate the new testfiles, It use the option -u of nft-parsing-test script. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add conntrack label match supportFlorian Westphal2014-02-181-2/+3
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: compile queue expression supportPablo Neira Ayuso2014-02-171-8/+13
| | | | | | | This got lost in 29fd6a1df9 when merging major changes in master to next-3.14. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'master' into next-3.14Pablo Neira Ayuso2014-02-0319-385/+551
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch includes changes to adapt this branch to the library rename that happened in the master branch. Conflicts: src/Makefile.am src/expr/cmp.c src/expr/ct.c src/expr/data_reg.c src/expr/meta.c tests/jsonfiles/01-table.json tests/jsonfiles/02-table.json tests/jsonfiles/64-ruleset.json tests/xmlfiles/01-table.xml tests/xmlfiles/02-table.xml
| * rename library to libnftnllibnftnl-1.0.0Pablo Neira Ayuso2014-01-2017-34/+34
| | | | | | | | | | | | We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: ct: fix compilation warning when json/xml support is missingPablo Neira Ayuso2014-01-201-1/+1
| | | | | | | | | | | | | | CC expr/ct.lo expr/ct.c:194:12: warning: 'str2ctdir' defined but not used [-Wunused-function] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * ct: use a string with 'dir' attributeArturo Borrero2014-01-181-11/+48
| | | | | | | | | | | | | | | | | | This patch implements a string to represent directions in the CT expression: * original (0) * reply (1) Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * data_reg: fix verdict format approachArturo Borrero2014-01-181-72/+99
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Patrick reports that the XML/JSON formats of the data_reg object are not accuarate. This patch updates these formats, so they are now as follow: * <data_reg type=value> with raw data (this doesn't change). * <data_reg type=verdict> with a concrete verdict (eg drop accept) and an optional <chain>, with destination. In XML: <data_reg type="verdict"> <verdict>goto</verdict> <chain>output</chain> </data_reg> In JSON: "data_reg" : { "type" : "verdict", "verdict" : "goto" "chain" : "output", } The default output format is updated to reflect these changes (minor collateral thing). When parsing set_elems, to know if we need to add the NFT_SET_ELEM_ATTR_CHAIN flag, a basic check for the chain not being NULL is done, instead of evaluating if the result of the parsing was DATA_CHAIN. The DATA_CHAIN symbol is no longer used in the data_reg XML/JSON parsing zone. While at it, I updated the error reporting stuff regarding data_reg/verdict, in order to leave a consistent state in the library. A JSON testfile is updated as well. Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * utils: fix nft_str2verdict return valueArturo Borrero2014-01-181-4/+10
| | | | | | | | | | | | | | | | | | | | | | | | Some verdicts have a negative value. The caller of nft_str2verdict() checking if return was < 0 clash with enum nft_verdict. While at it, add error reporting of invalid verdicts. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: meta: statify meta_key2str_arrayPablo Neira Ayuso2014-01-171-1/+1
| | | | | | | | | | | | It's not used out of the scope of expr/meta.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: ct: direction is optionalArturo Borrero2014-01-171-16/+46
| | | | | | | | | | | | | | | | | | | | | | | | The 'dir' attribute is optional as stated in the kernel sources. Previous to this patch, using XML/JSON to manage this expr produces some undefined and erroneous behaviours. While at it, fix also the default output format. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: ct: fix missing NFT_CT_L3PROTOCOL in ctkey2str_arrayArturo Borrero2014-01-161-0/+1
| | | | | | | | | | | | | | | | | | Due to missing NFT_CT_L3PROTOCOL key in ctkey2str_array, a segfault is produced when the str2ctkey() loop reaches that position, since strcmp() will try to compare a NULL value. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * lookup: xml: conditional output of dregArturo Borrero2014-01-151-13/+30
| | | | | | | | | | | | | | | | The dreg attribute is optional as stated at: linux/net/netfilter/nft_lookup.c Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * mxml: add optional/mandatory flag to nft_mxml_reg_parseArturo Borrero2014-01-1510-46/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are some cases where a reg is not mandatory, for example: * dreg in lookup * dreg/sreg in meta (last version) So, lets change the function nft_mxml_reg_parse() to add an optional/mandatory flag. dreg in lookup is optional as stated at: net/netfilter/nft_lookup.c:nft_lookup_init() Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: fix incorrect data type for several expression object fieldsPablo Neira Ayuso2014-01-105-11/+11
| | | | | | | | | | | | | | | | | | This patch fixes the incorrect data type (from uint8_t to uint32_t) in several private data area of the expressions. It also cleans up this by translating several unsigned int to uint32_t. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: new error reporting approach for XML/JSON parsersÁlvaro Neira Ayuso2014-01-0618-155/+216
| | | | | | | | | | | | | | | | | | | | | | | | | | | | I have added a new structure for reporting some errors in parser that we can't cover with errno. In this patch, we have three errors that we can't cover with errno: NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input NFT_PARSE_EMISSINGNODE : Missing node in our input NFT_PARSE_EBADTYPE : Wrong type value in a node Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expr: ct: Add support for setting the markKristian Evensen2014-01-151-26/+101
| | | | | | | | | | | | | | | | | | This patch adds userspace support for setting properties of tracked connections. Currently, the connection mark is supported. This can be used to implemented the same functionality as iptables -j CONNMARK --save-mark. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | meta: Let user specify any combination of sreg/dregKristian Evensen2014-01-151-32/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | libnftables should not mask kernel errors. Let user specify any combination of parameters and leave the error-checking to the kernel. The kernel will return -EINVAL and users will know that they have to fix their code. This patch also a removes a redundant variable that was passed to the snprintf-functions (flag). A second iteration might be needed. I was not sure how to deal with snprintf_default in the case of both sreg and dreg. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expr/cmp: fix type sizePatrick McHardy2014-01-152-5/+5
| | | | | | | | | | | | | | | | | | Since nftables now uses nft_rule_expr_get_u32(), the internal size must also be a uint32_t. Fixes complete breakage of any cmp or meta expression. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | src: fix compilation due to missing NFPROTO_INET definitionPablo Neira Ayuso2014-01-101-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a copy of the include/linux/netfilter.h kernel header that defines NFPROTO_INET, so libnftables compiles with relatively old kernel headers in the system. chain.c: In function 'nft_hooknum2str': chain.c:53:7: error: 'NFPROTO_INET' undeclared (first use in this function) This required to reorder and remove unneeded headers in src/expr/data_reg.c to avoid a compilation warning due to redefinition of __visible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libnftables: add support for inet family and mete nfproto/l4proto expressionsPatrick McHardy2014-01-081-1/+3
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | src: update meta exprArturo Borrero2013-12-261-24/+92
| | | | | | | | | | | | | | | | | | | | This patch adds userspace support for the meta expression in the set flavour. This expression indicates that the packet has to be set with a property, currently one of mark, priority or nftrace. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expr: add support for nfnetlink queueEric Leblond2013-12-041-0/+254
|/ | | | | | | This patch adds a support of the queue target. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix wrong attribute type in nft_rule_expr_log_parseAna Rey2013-11-191-1/+1
| | | | | | | | I fixed it by using the correct value. Signed-off-by: Ana Rey <anarey@gmail.com> Acked-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: target: fix wrong info length in nft_rule_expr_target_parseAna Rey2013-11-191-1/+1
| | | | | | | | | | | | | If I run my automatic unit test of libnftable, It shows: ERROR: Expr NFT_EXPR_TG_INFO size mismatches size a: 32 b: 36 The problem was in nft_rule_expr_target_parse function. With the attached patch, we use mnl_attr_get_payload_len() in instead of mnl_attr_get_len(). Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix missing \0 when sending log prefix to kernelAna Rey2013-11-191-1/+1
| | | | | | | | | | | | | | | | If I run my automatic unit test for libnftables, It shows: "ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches" a: test b: test ^^ garbage The problem was in nft_rule_expr_log_build function. With the attached patch, we use mnl_attr_put_strz() instead of mnl_attr_put_str() as in other functions in the library. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: release prefixPablo Neira Ayuso2013-11-181-0/+8
| | | | | | | | | Ana Rey reported a leak in the log expression. Fix it by using the new .free interface added in (3cf788a expr: fix leak in target and match expressions). Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: match: fix wrong flag setting in nft_rule_expr_match_parsePablo Neira Ayuso2013-11-181-3/+3
| | | | | | | Expression flags were incorrectly set. Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: fix leak in target and match expressionsPablo Neira Ayuso2013-11-182-0/+16
| | | | | | | | | | | Release internal data area for match and target expressions. ==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==30104== by 0x400C2F: main (nft-expr_match-test.c:65) Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unify parse and output typesÁlvaro Neira Ayuso2013-11-1417-75/+75
| | | | | | | | | Unify parse and output types that are redundant to all existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT] are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML]. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add rejectPablo Neira Ayuso2013-10-271-0/+213
| | | | | | | This patch adds support for the reject expression. Tested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: s/seconds/second/Florian Westphal2013-10-221-1/+1
| | | | | | my fault, spotted by Phil Oester. Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: limit: avoid huge rodata arrayPablo Neira Ayuso2013-10-221-8/+13
| | | | | | | | | | commit 10e0890e ('src: operational limit match') creates huge array, increasing libnftables binary size. Use switch statement instead. Based on patch from Florian Westphal, for nft. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: operational limit matchPhil Oester2013-10-221-22/+29
| | | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: remove spacesÁlvaro Neira Ayuso2013-10-1716-54/+52
| | | | | | | | | | | | Remove all the spaces from the JSON output to reduce the size of the output string, this also provides a consistent output in table, chain, rule and set. As Stephen Hemminger suggested, better to squash the output to consume as less bytes as possible. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: snprintf: fix buffer lengthsArturo Borrero2013-09-271-3/+3
| | | | | | | | Use 'len' instead of 'size' since we need the remaining unused bytes in the buffer, not its total size. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace size_t by uint32_t in set/get interfacesPablo Neira Ayuso2013-09-1917-34/+34
| | | | | | | | | | | | This patch breaks the ABI to shrink the size parameter from 8 to 4 bytes in x86_64. The maximum length of netlink attributes is 2 bytes, so 4 bytes as attribute payload length should be enough. After this patch, size_t is only used in the nft_*_snprintf interfaces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix build errorArturo Borrero Gonzalez2013-09-161-0/+4
| | | | | | | | This declaration was missing and is needed in case you compile libnftables without XML parsing support. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: avoid unecessary tree to text to tree conversionsArturo Borrero Gonzalez2013-09-162-140/+46
| | | | | | | | This patch avoid several tree to text to tree conversions in the XML parsing helpers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: add parsing optional/mandatory flagArturo Borrero Gonzalez2013-09-1617-41/+58
| | | | | | | | | | | Add an optional/mandatory flag to XML parsing. In some elements (ie regs), no flag is used because is always mandatory. DATA_NONE is created to indicate a non-parsed data_reg. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: use real length when fetching attributesFlorian Westphal2013-09-141-2/+6
| | | | | | | | | | | | | NFTA_LOG_SNAPLEN is u32 and NFTA_LOG_QTHRESHOLD is u16. Without this, netlink messages from kernel fail mnl_validate step when QTHRESH or SNAPLEN was set. Also, nft_rule_expr_log_get must update data_length, else 'nft list' doesn't show log arguments (prefix, group ..) because the netlink message decoding uses nft_rule_expr_get_u16/32 etc. which validate the length, too. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: s/nft_jansson_value_parse_reg/nft_jansson_parse_reg/gPablo Neira Ayuso2013-08-249-22/+19
| | | | | | | | This patch is a cleanup to save LOC. I have also changed it to use < 0 to check for error conditions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: s/nft_jansson_value_parse_val/nft_jansson_parse_val/gPablo Neira Ayuso2013-08-2410-33/+18
| | | | | | | | This patch is a cleanup to save LOC. I have also changed it to use < 0 to check for error conditions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: s/nft_jansson_value_parse_str/nft_jansson_parse_str/gPablo Neira Ayuso2013-08-2412-17/+16
| | | | | | Remove _value_ infix to make the function name smaller. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>