| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
data_reg is unnecessarily long name and it always has to be
wrapped by another data node. This will allow us to represent
data not only as registers if needed.
Get rid of 'cmpdata' and 'immediatedata' too and use 'data'
instead to wrap 'reg' so these are consistent with the bitwise
expression. No reason for such specific tag per expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new buffer class to consolidate the existing code to export objects
in XML/JSON and use it. We save ~700 LOC with this change.
The rule and set objects are not yet consolidated. It seems this would
require some specific glue code per representation type since lists are
arranged differently.
This also consolidates the tag names, so we make sure the same are used
from XML and JSON by placing them in include/buffer.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
'type' is already used from the expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The kernel support is add in the commit:
netfilter: nft_meta: add cgroup support
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This empty file slipped through the repository, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the new nft_redir expression.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Having this interface returning a const pointer makes very hard to
modificate the content of a chain contained in a nft_ruleset.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFPROTO_ARP = 3 in kernel space.
We need the same value here in userspace in order to correctly communicate
with the kernel.
The failure solved by this patch made that {XML|JSON}-parsed tables of ARP
family unable to be directly injected into kernel.
To prevent future errors, this patch changes raw and AF_* values by the mathing
NFPROTO_* couterpart as seen in linux/netfilter.h in both functions:
* nft_family2str()
* nft_str2family()
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Fixes: c04175e ("src: internal set id allocation from nft_ruleset_parse*()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
jansson.c: In function 'nft_jansson_expr_parse':
jansson.c:212:6: warning: pointer targets in passing argument 3 of 'nft_set_lookup_id' differ in signedness [-Wpointer-sign]
In file included from jansson.c:10:0:
./internal.h:95:5: note: expected 'uint32_t *' but argument is of type 'int *'
jansson.c:195:18: warning: unused variable 'set_cur' [-Wunused-variable]
mxml.c: In function 'nft_mxml_expr_parse':
mxml.c:97:6: warning: pointer targets in passing argument 3 of 'nft_set_lookup_id' differ in signedness [-Wpointer-sign]
In file included from mxml.c:12:0:
internal.h:95:5: note: expected 'uint32_t *' but argument is of type 'int *'
mxml.c:68:18: warning: unused variable 'set_cur' [-Wunused-variable]
Spotted with: gcc (Debian 4.7.2-5) 4.7.2
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Extends this function to attach the set to the rule through the set_idi.
If it doesn't exist in the list, maybe the set already exists in the
kernel. In that case, we don't set any id.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The flags attribute is optional. Thus we should print only if it
was originally set.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The generation object currently only contains the uint32_t that
indicates the generation ID. I could have just add the API to return
the uint32_t ID instead, but I think this API is easier to extend
without adding new APIs.
We can probably include meaningful statistics in the generation
message in the future without much hassle.
This patch also extends examples/nft-events.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In commit ff62959("set: add support for set mechanism selection") the
support for parsing the nested attribute (NFTA_SET_DESC) was incorrect.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
If the snprintf_cb() printed 0 characters, no \0 exists in the buffer.
Also, in that case fprintf() is meant to print nothing, so we can just exit.
This patch addresses new cases of textual output by libnftnl with trash.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds userspace support to nft_masq, the new expression to
perform masquerade.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patchs adds support for the new flags attribute in the nft_nat
expression.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
|
|
|
|
|
|
|
| |
The kernel support is add in commit:
netfilter: nf_tables: add devgroup support in meta expresion
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Keeping the full cached copy the of x_tables.h file in tree is too much
for just the XT_EXTENSION_MAXNAMELEN constant. Similarly, xt_LOG.h is not
actually required by the tests, we can use any whatever syntetic data
to make sure the setter and getter provide the same result. So, let's
get rid of these headers from the library tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Use the nft_fprintf() helper. The helper handles \0 properly.
Before this patch, we get trash in the output due to the buffer being
printed without any \0.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Original description from Thomas Petazzoni:
When ELF binaries and shared libraries are used, the internal
functions of libnftnl such as xfree() are not visible to the outside
world (their visibility is 'hidden'). Therefore, the fact that other
programs (especially nftables) may have symbols with the same name
does not cause any problem.
However, when doing static linking on a non-ELF platform (such as
Blackfin, which uses the FLAT binary format), there is no way of
encoding this visibility. Therefore, the xfree() symbols of libnftnl
becomes visible to the outside world, causing a conflict with the
xfree() symbol defined by nftables.
To solve this, this patch convers xfree as a macro instead of
a function.
Reported-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Let's use the proper free function to liberate the set_elem,
so we avoid potential memory leaks.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following new interfaces:
int nft_batch_is_supported(void);
void nft_batch_begin(char *buf, uint32_t seq);
void nft_batch_end(char *buf, uint32_t seq);
Quite likely this is going to be reused by third party applications
requiring to put things in the batch. We already have potential clients
for this code in nft and iptables-compat.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This new interface allows you to put as many set elements as possible
into a netlink message. The iterator stores the last element that has
fit into a netlink message, so you can continue adding more set elements
across several netlink messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to select the set mechanism.
The kernel support was added in commit:
c50b960 netfilter: nf_tables: implement proper set selection
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the kernel sends us different data length for a given attribute,
stop further processing and indicate that an ABI breakage has ocurred.
This is an example of the (hypothetical) message that is shown in that
case:
nf_tables kernel ABI is broken, contact your vendor.
table.c:214 reason: Numerical result out of range
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
In the xml parser, we have used a variable flags for parsing it
but we have forgot define it. This patch solves a compile error
like:
expr/log.c:263:12: error: 'flags' undeclared (first use in this function)
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This is required by changes scheduled for Linux kernel 3.17.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse and snprintf functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Renames some variables for code readability reasons.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse and snprintf functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add set, unset, get, parse and build payload implementation for use value.
These changes are neeeded for a correct import/export of xml/json file
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse and snprintf functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse and snprintf functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add some parts of the implemention of 'use' vualue in table that miss it.
These changes are neeeded for a correct import/export of xml/json file
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Code refactoring to use nft_table_attr_set_* in parse xml functions.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Free memory in the same function that is reserved.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Code refactoring to use nft_rule_expr_set_* in parse functions.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Free memory in the same function that is reserved.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse and snprintf functions json to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse and snprintf functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Code refactoring to use nft_rule_expr_set_* in parse functions.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
functions
Code refactoring in nft_rule_expr_match_snprintf_* functions to get a
nft_rule_expr type instead of nft_expr_match type.
The nft_rule_expr type is needed to check information into flags variables.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Code refactoring to use nft_rule_expr_set_* in parse functions.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It changes the parse and the snprint functions to omit unset values.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|