summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Makefile: internal.h now resides in includePablo Neira Ayuso2015-02-191-2/+1
| | | | | | Remove reference to the former internal.h under src/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: split internal.h is smaller filesPablo Neira Ayuso2015-02-1731-406/+6
| | | | | | | | | The internal.h file started being a small file with private definitions. Its size has been increasing over time more and more, so let's split this in small header files that map to the corresponding class where the functions belong to. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: fix more leaks in error pathPablo Neira Ayuso2015-02-131-5/+10
| | | | | | | Shouldn't happen though, since you need to introduce an unsupported markup language. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: fix leak in json/xml in set listsAlvaro Neira2015-02-131-10/+14
| | | | | | | | | | | | | | ==18632== 285 (16 direct, 269 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6 ==18632== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==18632== by 0x5043822: nft_set_list_alloc (set.c:977) ==18632== by 0x5045483: nft_ruleset_json_parse (ruleset.c:442) ==18632== by 0x50458BE: nft_ruleset_do_parse (ruleset.c:696) ==18632== by 0x408AEC: do_command (rule.c:1317) ==18632== by 0x406B05: nft_run (main.c:194) ==18632== by 0x40667C: main (main.c:360) Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: don't release the tree parameter from nft_jansson_parse_rule()Alvaro Neira2015-02-131-3/+5
| | | | | | | | | | We release the tree that we receive from the parameter in nft_jansson_parse_rule. With this patch, we're going to release the tree where we create it. Therefore, we will have a code more traceable and readable. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add missing include in utils.cPablo Neira Ayuso2015-02-101-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support to import JSON/XML with the new command tagAlvaro Neira Ayuso2015-02-105-313/+521
| | | | | | | | | | | | | | | | | | | | | | | | This patch adds support to parse the new command tag in XML/JSON. This patch adds two new functions: * nft_ruleset_parse_file_cb * nft_ruleset_parse_buffer_cb The idea is to invoke the callback function that is passed as parameter is called for each object that is parsed from the corresponding input. Each callback has access to the nft_parse_ctx structure that provides the necessary context such as the command, the object type and the object itself. This change also adds support to update the content of a set incrementally. {"nftables":[{"add":[{"element":{"name":"blackhole","table":"filter", "family":"ip","key_type":7,"key_len":4,"set_elem":[{"key":{ "reg":{"type":"value","len":4,"data0":"0x0403a8c0"}}}]}}]}]} This also patch consolidates the xml/json ruleset import path. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add command tag in JSON/XML export supportAlvaro Neira Ayuso2015-02-1011-104/+234
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, we can't do incremental updates via JSON/XML. This patch enriches the existing output to indicate the kind of update that you want to perform. So, if we have a ruleset like: table ip filter { chain input { type filter hook input priority 0; } } The new output looks like: {"nftables":[{"add":[{"table":{"name":"filter",...}}]}]} ^^^^^ Where we explicitly indicate that we want to add a table. We support all the actions that we can do with nft, they are: - Add, delete and flush tables and chains. - Add, delete, replace and insert rules. - Add and delete sets. - Add and delete set elements. - Flush ruleset. You only need to add the command tag: {"nftables":[{"delete":[{...}, {...},...}]}]} ^^^^^^^^ The possible command tags that you can use are "add", "delete", "insert", "replace" and "flush". - Flush table or chain, eg.: {"nftables":[{"flush":[{"table":{"name":...}}]}]} - Delete table, chain, set or rule: {"nftables":[{"delete":[{"chain":{"name":...}]}]} - Replace a rule (you have to specify the handle): {"nftables":[{"replace":[{"rule":{...}}]}]} - Insert a rule: {"nftables":[{"insert":[{"rule":{...}}]}]} Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* buffer: fix missing XML string tag in nft_buf_closeAlvaro Neira Ayuso2015-02-101-1/+1
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: refactor code in json parse functionAlvaro Neira2015-01-291-7/+15
| | | | | | | | | This patch refactors code to parse the set in two functions nft_jansson_parse_set_info and nft_jansson_parse_set. These changes are used in follow up patches. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: refactor nft_ruleset_*_parse_ruleset()Alvaro Neira2015-01-151-20/+38
| | | | | | | | | Refactor the parsing ruleset element functions calls in xml/json to do that calls in the functions nft_ruleset_*_parse_ruleset. This patch is used in follow up patches. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: don't create iterator with empty listAlvaro Neira2015-01-155-6/+44
| | | | | | | | | | Currently, we create iterator without test if the list is empty. If the list is empty, we have a crash when we set up the current element. With this patch, we test if the list is empty before to create the iterator. If the list is empty the iterator return NULL. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: clean up the variable names in the xml/json parsing functionsAlvaro Neira2015-01-101-50/+50
| | | | | | | Rename variables to use more intuitive name like table, chain, rule or set. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* buffer: include stdarg headerGiuseppe Longo2014-11-201-0/+1
| | | | | | | | | | | | | | | This fixes the following warnings: buffer.c: In function 'nft_buf_put': buffer.c:53:2: warning: implicit declaration of function 'va_start' [-Wimplicit-function-declaration] va_start(ap, fmt); ^ buffer.c:56:2: warning: implicit declaration of function 'va_end' [-Wimplicit-function-declaration] va_end(ap); ^ Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: data_reg: use 'reg' instead of 'data_reg'Pablo Neira Ayuso2014-11-104-25/+14
| | | | | | | | | | | | data_reg is unnecessarily long name and it always has to be wrapped by another data node. This will allow us to represent data not only as registers if needed. Get rid of 'cmpdata' and 'immediatedata' too and use 'data' instead to wrap 'reg' so these are consistent with the bitwise expression. No reason for such specific tag per expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate XML/JSON exportationPablo Neira Ayuso2014-11-1023-1203/+485
| | | | | | | | | | | | | | Add new buffer class to consolidate the existing code to export objects in XML/JSON and use it. We save ~700 LOC with this change. The rule and set objects are not yet consolidated. It seems this would require some specific glue code per representation type since lists are arranged differently. This also consolidates the tag names, so we make sure the same are used from XML and JSON by placing them in include/buffer.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: nat: use 'nat_type' instead of 'type' in the parserPablo Neira Ayuso2014-11-101-1/+1
| | | | | | 'type' is already used from the expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Add cgroup supportAna Rey2014-11-101-1/+2
| | | | | | | | The kernel support is add in the commit: netfilter: nft_meta: add cgroup support Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* remove empty src/attr.cPablo Neira Ayuso2014-11-101-0/+0
| | | | | | This empty file slipped through the repository, remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for nft_redir expressionArturo Borrero2014-10-302-0/+304
| | | | | | | This patch adds support for the new nft_redir expression. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: deconstify _get interfaceArturo Borrero2014-10-241-1/+1
| | | | | | | | Having this interface returning a const pointer makes very hard to modificate the content of a chain contained in a nft_ruleset. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: fix arp family numberArturo Borrero2014-10-211-23/+20
| | | | | | | | | | | | | | | | | | NFPROTO_ARP = 3 in kernel space. We need the same value here in userspace in order to correctly communicate with the kernel. The failure solved by this patch made that {XML|JSON}-parsed tables of ARP family unable to be directly injected into kernel. To prevent future errors, this patch changes raw and AF_* values by the mathing NFPROTO_* couterpart as seen in linux/netfilter.h in both functions: * nft_family2str() * nft_str2family() Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix compilation without xml/json supportPablo Neira Ayuso2014-10-111-0/+2
| | | | | Fixes: c04175e ("src: internal set id allocation from nft_ruleset_parse*()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: cleanup in mxml and jansson regarding set_id parsingArturo Borrero2014-10-112-4/+4
| | | | | | | | | | | | | | | | | | jansson.c: In function 'nft_jansson_expr_parse': jansson.c:212:6: warning: pointer targets in passing argument 3 of 'nft_set_lookup_id' differ in signedness [-Wpointer-sign] In file included from jansson.c:10:0: ./internal.h:95:5: note: expected 'uint32_t *' but argument is of type 'int *' jansson.c:195:18: warning: unused variable 'set_cur' [-Wunused-variable] mxml.c: In function 'nft_mxml_expr_parse': mxml.c:97:6: warning: pointer targets in passing argument 3 of 'nft_set_lookup_id' differ in signedness [-Wpointer-sign] In file included from mxml.c:12:0: internal.h:95:5: note: expected 'uint32_t *' but argument is of type 'int *' mxml.c:68:18: warning: unused variable 'set_cur' [-Wunused-variable] Spotted with: gcc (Debian 4.7.2-5) 4.7.2 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: internal set id allocation from nft_ruleset_parse*()Alvaro Neira2014-10-096-22/+95
| | | | | | | | | Extends this function to attach the set to the rule through the set_idi. If it doesn't exist in the list, maybe the set already exists in the kernel. In that case, we don't set any id. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: add set id to parsed setsAlvaro Neira2014-10-091-0/+4
| | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: masq: optional printing of flags attr in snprintf_defaultArturo Borrero2014-10-031-2/+4
| | | | | | | | The flags attribute is optional. Thus we should print only if it was originally set. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ruleset generation classPablo Neira Ayuso2014-09-193-0/+214
| | | | | | | | | | | | | | The generation object currently only contains the uint32_t that indicates the generation ID. I could have just add the API to return the uint32_t ID instead, but I think this API is easier to extend without adding new APIs. We can probably include meaningful statistics in the generation message in the future without much hassle. This patch also extends examples/nft-events.c. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix set nlmsg desc parsingArturo Borrero2014-09-181-20/+2
| | | | | | | | In commit ff62959("set: add support for set mechanism selection") the support for parsing the nested attribute (NFTA_SET_DESC) was incorrect. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: nft_fprintf: prevent an empty buffer from being printedArturo Borrero2014-09-161-2/+2
| | | | | | | | | | If the snprintf_cb() printed 0 characters, no \0 exists in the buffer. Also, in that case fprintf() is meant to print nothing, so we can just exit. This patch addresses new cases of textual output by libnftnl with trash. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add new nft_masq expressionArturo Borrero2014-09-092-0/+209
| | | | | | | | This patch adds userspace support to nft_masq, the new expression to perform masquerade. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: nat: add support for the new flags attributeArturo Borrero2014-09-091-3/+45
| | | | | | | This patchs adds support for the new flags attribute in the nft_nat expression. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* expr: meta: Add devgroup supportAna Rey2014-09-031-1/+3
| | | | | | | | The kernel support is add in commit: netfilter: nf_tables: add devgroup support in meta expresion Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of cached copies of x_tables.h and xt_LOG.hPablo Neira Ayuso2014-08-312-2/+6
| | | | | | | | | | Keeping the full cached copy the of x_tables.h file in tree is too much for just the XT_EXTENSION_MAXNAMELEN constant. Similarly, xt_LOG.h is not actually required by the tests, we can use any whatever syntetic data to make sure the setter and getter provide the same result. So, let's get rid of these headers from the library tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix printing of XML/JSON event wrapper header/footerArturo Borrero2014-08-251-16/+18
| | | | | | | | | | Use the nft_fprintf() helper. The helper handles \0 properly. Before this patch, we get trash in the output due to the buffer being printed without any \0. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Add cpu support for meta expresionAna Rey2014-08-241-2/+3
| | | | | Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Add pkttype supportAna Rey2014-08-241-1/+2
| | | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: define xfree() as macroPablo Neira Ayuso2014-08-202-7/+2
| | | | | | | | | | | | | | | | | | | | | | Original description from Thomas Petazzoni: When ELF binaries and shared libraries are used, the internal functions of libnftnl such as xfree() are not visible to the outside world (their visibility is 'hidden'). Therefore, the fact that other programs (especially nftables) may have symbols with the same name does not cause any problem. However, when doing static linking on a non-ELF platform (such as Blackfin, which uses the FLAT binary format), there is no way of encoding this visibility. Therefore, the xfree() symbols of libnftnl becomes visible to the outside world, causing a conflict with the xfree() symbol defined by nftables. To solve this, this patch convers xfree as a macro instead of a function. Reported-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: use proper free functionArturo Borrero2014-08-181-1/+1
| | | | | | | | Let's use the proper free function to liberate the set_elem, so we avoid potential memory leaks. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: add batching interfacesPablo Neira Ayuso2014-08-142-0/+93
| | | | | | | | | | | | | | This patch adds the following new interfaces: int nft_batch_is_supported(void); void nft_batch_begin(char *buf, uint32_t seq); void nft_batch_end(char *buf, uint32_t seq); Quite likely this is going to be reused by third party applications requiring to put things in the batch. We already have potential clients for this code in nft and iptables-compat. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add nft_set_elems_nlmsg_build_payload_iter()Pablo Neira Ayuso2014-07-252-11/+76
| | | | | | | | | This new interface allows you to put as many set elements as possible into a netlink message. The iterator stores the last element that has fit into a netlink message, so you can continue adding more set elements across several netlink messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add support for set mechanism selectionArturo Borrero2014-07-242-3/+165
| | | | | | | | | | This patch adds support to select the set mechanism. The kernel support was added in commit: c50b960 netfilter: nf_tables: implement proper set selection Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: stricter netlink attribute length validationPablo Neira Ayuso2014-07-2026-229/+128
| | | | | | | | | | | | If the kernel sends us different data length for a given attribute, stop further processing and indicate that an ABI breakage has ocurred. This is an example of the (hypothetical) message that is shown in that case: nf_tables kernel ABI is broken, contact your vendor. table.c:214 reason: Numerical result out of range Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: define variable flags in xml parserÁlvaro Neira Ayuso2014-07-151-1/+1
| | | | | | | | | | | In the xml parser, we have used a variable flags for parsing it but we have forgot define it. This patch solves a compile error like: expr/log.c:263:12: error: 'flags' undeclared (first use in this function) Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: add support for level and flagsPablo Neira Ayuso2014-07-011-6/+85
| | | | | | This is required by changes scheduled for Linux kernel 3.17. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Do not print unset attributes in jsonAna Rey2014-06-301-71/+95
| | | | | | | It changes the parse and snprintf functions to omit unset values. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Rename variables in nft_jansson_parse_chain functionsAna Rey2014-06-301-32/+32
| | | | | | | Renames some variables for code readability reasons. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Do not print unset attributes in xmlAna Rey2014-06-301-46/+77
| | | | | | | It changes the parse and snprintf functions to omit unset values. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Add all support of use attributeAna Rey2014-06-301-6/+18
| | | | | | | | | Add set, unset, get, parse and build payload implementation for use value. These changes are neeeded for a correct import/export of xml/json file Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table: Do not print unset values in json fileAna Rey2014-06-301-22/+42
| | | | | | | It changes the parse and snprintf functions to omit unset values. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>