summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* expr: add conntrack label match supportFlorian Westphal2014-02-181-2/+3
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: compile queue expression supportPablo Neira Ayuso2014-02-172-8/+14
| | | | | | | This got lost in 29fd6a1df9 when merging major changes in master to next-3.14. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: print usage counter for base chain via default output as wellPablo Neira Ayuso2014-02-111-4/+4
| | | | | | | For some reason this was only printed in custom chains. Print it for any chain, this is useful for debugging purposes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'master' into next-3.14Pablo Neira Ayuso2014-02-0334-746/+1275
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch includes changes to adapt this branch to the library rename that happened in the master branch. Conflicts: src/Makefile.am src/expr/cmp.c src/expr/ct.c src/expr/data_reg.c src/expr/meta.c tests/jsonfiles/01-table.json tests/jsonfiles/02-table.json tests/jsonfiles/64-ruleset.json tests/xmlfiles/01-table.xml tests/xmlfiles/02-table.xml
| * build: resolve build failure involving linux/netlink.hJan Engelhardt2014-01-211-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This was seen with a sufficiently-old /usr/include/linux (from Linux 2.6.32). In file included from common.c:10: /usr/include/linux/netlink.h:34: error: expected specifier-qualifier-list before 'sa_family_t' The solution is to include <linux/*> last of all system headers. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * rename library to libnftnllibnftnl-1.0.0Pablo Neira Ayuso2014-01-2030-94/+94
| | | | | | | | | | | | We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: ct: fix compilation warning when json/xml support is missingPablo Neira Ayuso2014-01-201-1/+1
| | | | | | | | | | | | | | CC expr/ct.lo expr/ct.c:194:12: warning: 'str2ctdir' defined but not used [-Wunused-function] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * ct: use a string with 'dir' attributeArturo Borrero2014-01-181-11/+48
| | | | | | | | | | | | | | | | | | This patch implements a string to represent directions in the CT expression: * original (0) * reply (1) Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * data_reg: fix verdict format approachArturo Borrero2014-01-183-96/+108
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Patrick reports that the XML/JSON formats of the data_reg object are not accuarate. This patch updates these formats, so they are now as follow: * <data_reg type=value> with raw data (this doesn't change). * <data_reg type=verdict> with a concrete verdict (eg drop accept) and an optional <chain>, with destination. In XML: <data_reg type="verdict"> <verdict>goto</verdict> <chain>output</chain> </data_reg> In JSON: "data_reg" : { "type" : "verdict", "verdict" : "goto" "chain" : "output", } The default output format is updated to reflect these changes (minor collateral thing). When parsing set_elems, to know if we need to add the NFT_SET_ELEM_ATTR_CHAIN flag, a basic check for the chain not being NULL is done, instead of evaluating if the result of the parsing was DATA_CHAIN. The DATA_CHAIN symbol is no longer used in the data_reg XML/JSON parsing zone. While at it, I updated the error reporting stuff regarding data_reg/verdict, in order to leave a consistent state in the library. A JSON testfile is updated as well. Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * utils: fix nft_str2verdict return valueArturo Borrero2014-01-184-21/+39
| | | | | | | | | | | | | | | | | | | | | | | | Some verdicts have a negative value. The caller of nft_str2verdict() checking if return was < 0 clash with enum nft_verdict. While at it, add error reporting of invalid verdicts. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: meta: statify meta_key2str_arrayPablo Neira Ayuso2014-01-171-1/+1
| | | | | | | | | | | | It's not used out of the scope of expr/meta.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: ct: direction is optionalArturo Borrero2014-01-171-16/+46
| | | | | | | | | | | | | | | | | | | | | | | | The 'dir' attribute is optional as stated in the kernel sources. Previous to this patch, using XML/JSON to manage this expr produces some undefined and erroneous behaviours. While at it, fix also the default output format. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: ct: fix missing NFT_CT_L3PROTOCOL in ctkey2str_arrayArturo Borrero2014-01-161-0/+1
| | | | | | | | | | | | | | | | | | Due to missing NFT_CT_L3PROTOCOL key in ctkey2str_array, a segfault is produced when the str2ctkey() loop reaches that position, since strcmp() will try to compare a NULL value. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * lookup: xml: conditional output of dregArturo Borrero2014-01-151-13/+30
| | | | | | | | | | | | | | | | The dreg attribute is optional as stated at: linux/net/netfilter/nft_lookup.c Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * mxml: add optional/mandatory flag to nft_mxml_reg_parseArturo Borrero2014-01-1512-57/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are some cases where a reg is not mandatory, for example: * dreg in lookup * dreg/sreg in meta (last version) So, lets change the function nft_mxml_reg_parse() to add an optional/mandatory flag. dreg in lookup is optional as stated at: net/netfilter/nft_lookup.c:nft_lookup_init() Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * set: xml: data_type/data_len are optionalArturo Borrero2014-01-151-13/+20
| | | | | | | | | | | | | | | | | | | | Don't print data_type and data_len if they aren't set. Also, they are optional when parsing. Printing and parsing unconditionally leads to false values and other errors. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * expr: fix incorrect data type for several expression object fieldsPablo Neira Ayuso2014-01-105-11/+11
| | | | | | | | | | | | | | | | | | This patch fixes the incorrect data type (from uint8_t to uint32_t) in several private data area of the expressions. It also cleans up this by translating several unsigned int to uint32_t. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: add interface to parse from fileArturo Borrero2014-01-0910-2/+59
| | | | | | | | | | | | | | | | This patch adds a new API to parse rule-set expressed in XML/JSON from a file. A new enum nft_parse_input type is added for this purpose. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: rework and generalize the build/parse systemArturo Borrero2014-01-099-72/+141
| | | | | | | | | | | | | | | | | | | | | | The intention behind this patch is to prepare the introduction of the new API that will allow us to parse files that contain the rule-sets expressed in XML/JSON format. This adds the NFT_PARSE_BUFFER that indicates that the input is provided in a buffer, which is what we currently support. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * set_elem: add json parsing to APIArturo Borrero2014-01-084-5/+27
| | | | | | | | | | | | | | | | | | Add missing support in the API function to parse a JSON set_elem. I've renamed the main JSON parsing function to prevent clashing. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * mxml: add error reference of the top nodeArturo Borrero2014-01-081-2/+5
| | | | | | | | | | | | | | We know the top node we are building. Let the user also know it. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: new error reporting approach for XML/JSON parsersÁlvaro Neira Ayuso2014-01-0631-380/+640
| | | | | | | | | | | | | | | | | | | | | | | | | | | | I have added a new structure for reporting some errors in parser that we can't cover with errno. In this patch, we have three errors that we can't cover with errno: NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input NFT_PARSE_EMISSINGNODE : Missing node in our input NFT_PARSE_EBADTYPE : Wrong type value in a node Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: rename the parameter tag to node_name in jansson functionÁlvaro Neira Ayuso2014-01-032-24/+28
| | | | | | | | | | | | | | | | I have changed this parameter for having consistence with the xml helper function. This patch is a cleanup. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expr: ct: Add support for setting the markKristian Evensen2014-01-151-26/+101
| | | | | | | | | | | | | | | | | | This patch adds userspace support for setting properties of tracked connections. Currently, the connection mark is supported. This can be used to implemented the same functionality as iptables -j CONNMARK --save-mark. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | meta: Let user specify any combination of sreg/dregKristian Evensen2014-01-151-32/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | libnftables should not mask kernel errors. Let user specify any combination of parameters and leave the error-checking to the kernel. The kernel will return -EINVAL and users will know that they have to fix their code. This patch also a removes a redundant variable that was passed to the snprintf-functions (flag). A second iteration might be needed. I was not sure how to deal with snprintf_default in the case of both sreg and dreg. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expr/cmp: fix type sizePatrick McHardy2014-01-152-5/+5
| | | | | | | | | | | | | | | | | | Since nftables now uses nft_rule_expr_get_u32(), the internal size must also be a uint32_t. Fixes complete breakage of any cmp or meta expression. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | src: fix compilation due to missing NFPROTO_INET definitionPablo Neira Ayuso2014-01-101-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a copy of the include/linux/netfilter.h kernel header that defines NFPROTO_INET, so libnftables compiles with relatively old kernel headers in the system. chain.c: In function 'nft_hooknum2str': chain.c:53:7: error: 'NFPROTO_INET' undeclared (first use in this function) This required to reorder and remove unneeded headers in src/expr/data_reg.c to avoid a compilation warning due to redefinition of __visible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libnftables: add support for inet family and mete nfproto/l4proto expressionsPatrick McHardy2014-01-083-1/+8
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | src: update meta exprArturo Borrero2013-12-261-24/+92
| | | | | | | | | | | | | | | | | | | | This patch adds userspace support for the meta expression in the set flavour. This expression indicates that the packet has to be set with a property, currently one of mark, priority or nftrace. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | table: Add support for NFTA_TABLE_USE attributeTomasz Bursztyka2013-12-171-6/+29
| | | | | | | | | | | | | | | | This adds support for table's attribute "use" which let us know about how many chains are in the table, if any. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expr: add support for nfnetlink queueEric Leblond2013-12-042-0/+255
|/ | | | | | | This patch adds a support of the queue target. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate netlink build header functionPablo Neira Ayuso2013-11-248-110/+39
| | | | | | | | | Add new function nft_nlmsg_build_hdr which consolidates all existing functions to build headers per object. They basically look the same. This patch still provides aliases for consistency in the naming approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table/chain: add u8 setter and getter for family valuesAna Rey2013-11-203-0/+30
| | | | | | | These are needed to set the family value for chain and table. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix wrong attribute type in nft_rule_expr_log_parseAna Rey2013-11-191-1/+1
| | | | | | | | I fixed it by using the correct value. Signed-off-by: Ana Rey <anarey@gmail.com> Acked-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: target: fix wrong info length in nft_rule_expr_target_parseAna Rey2013-11-191-1/+1
| | | | | | | | | | | | | If I run my automatic unit test of libnftable, It shows: ERROR: Expr NFT_EXPR_TG_INFO size mismatches size a: 32 b: 36 The problem was in nft_rule_expr_target_parse function. With the attached patch, we use mnl_attr_get_payload_len() in instead of mnl_attr_get_len(). Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix missing \0 when sending log prefix to kernelAna Rey2013-11-191-1/+1
| | | | | | | | | | | | | | | | If I run my automatic unit test for libnftables, It shows: "ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches" a: test b: test ^^ garbage The problem was in nft_rule_expr_log_build function. With the attached patch, we use mnl_attr_put_strz() instead of mnl_attr_put_str() as in other functions in the library. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: release prefixPablo Neira Ayuso2013-11-181-0/+8
| | | | | | | | | Ana Rey reported a leak in the log expression. Fix it by using the new .free interface added in (3cf788a expr: fix leak in target and match expressions). Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: match: fix wrong flag setting in nft_rule_expr_match_parsePablo Neira Ayuso2013-11-181-3/+3
| | | | | | | Expression flags were incorrectly set. Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix make distcheckPablo Neira Ayuso2013-11-181-0/+2
| | | | | | | | | | Fix missing files that were not included in the tarball that distcheck generates. This also includes AC_EXEEXT, otherwise configure complains about undefined CHECK_GCC_FVISIBILITY. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: fix leak in target and match expressionsPablo Neira Ayuso2013-11-184-0/+20
| | | | | | | | | | | Release internal data area for match and target expressions. ==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==30104== by 0x400C2F: main (nft-expr_match-test.c:65) Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unify parse and output typesÁlvaro Neira Ayuso2013-11-1423-121/+121
| | | | | | | | | Unify parse and output types that are redundant to all existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT] are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML]. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix a build issue on header inclusion in internal.hTomasz Bursztyka2013-11-051-0/+1
| | | | | | | | | | | | Fixes: In file included from utils.c:11:0: ./internal.h:93:17: error: unknown type name 'FILE' int nft_fprintf(FILE *fp, void *obj, uint32_t type, uint32_t flags, int (*snprintf_cb)(char *buf, size_t bufsiz, void *obj, uint32_t type, uint32_t flags)); Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fprintf API functionsArturo Borrero2013-11-039-0/+305
| | | | | | | | | | | | | | Now it's possible to print directly from libnftables to a file or other stream. The caller must explicitly print the trailing '\n' in this call. The error reporting of fprintf (< 0) is respected. However, we have already print some information in case that the default (plain text) output is used, that output is mostly intended for debugging so it should not be a problem. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: refactorize json/xml taggingArturo Borrero2013-11-031-53/+54
| | | | | | | | This factorization of JSON/XML open & close tag allows reutilice code in future patches (for example, the fprintf API functions). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix possible null pointer dereference in nft_*_attr_get_*Phil Oester2013-10-272-8/+8
| | | | | | | | | | | | | | As reported by John Sager, nft_set_attr_get_u32 can cause a segfault because nft_set_attr_get can return NULL. Check for a non-NULL pointer before dereferencing. This closes netfilter bugzilla #868. [ I have mangled this patch to solve possible null pointer dereference with get operations with rule objects --pablo ] Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add rejectPablo Neira Ayuso2013-10-272-0/+214
| | | | | | | This patch adds support for the reject expression. Tested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: remove NFT_RULE_ATTR_FLAGSPablo Neira Ayuso2013-10-271-24/+2
| | | | | | | This is a leftover from the time we had per rule flags, obsoleted by the new rule batching approach. Kill it as it is unused. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: s/seconds/second/Florian Westphal2013-10-221-1/+1
| | | | | | my fault, spotted by Phil Oester. Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: limit: avoid huge rodata arrayPablo Neira Ayuso2013-10-221-8/+13
| | | | | | | | | | commit 10e0890e ('src: operational limit match') creates huge array, increasing libnftables binary size. Use switch statement instead. Based on patch from Florian Westphal, for nft. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: operational limit matchPhil Oester2013-10-221-22/+29
| | | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>