summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* set: add json outputÁlvaro Neira Ayuso2013-07-062-4/+103
| | | | | | | This patch allows you to dump set and their content in json format. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix printing of key and data registersPablo Neira Ayuso2013-07-061-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expr: data_reg: fix printing data register contentPablo Neira Ayuso2013-07-052-6/+6
| | | | | | | | | | | | | | | | | Before: ip filter output 41 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 ] Now: ip filter output 41 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] ^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: improve default text outputGiuseppe Longo2013-07-0521-59/+86
| | | | | | | | | | | | | This patch improves default plain text output by mimicing the default output of libnl-nft. While at it, several %lu has been translated to use %"PRIu64" for correctness. [ I have added the policy to string translation --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: fix compilation without XML parsing enabledPablo Neira Ayuso2013-07-042-0/+6
| | | | | | | | Since (d844fa0 src: consolidate XML parsing of expressions via nft_mxml_expr_parse), the library was not compiling with XML support anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate XML parsing of expressions via nft_mxml_reg_parsePablo Neira Ayuso2013-07-0411-202/+102
| | | | This patch reduces the XML code in 100 LOC.
* src: consolidate XML parsing of expressions via nft_mxml_expr_parsePablo Neira Ayuso2013-07-0420-431/+130
| | | | | | | | | Move common code for XML parsing of expressions to the new nft_mxml_expr_parse function. This patch reduces the XML parsing code in 300 LOC. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: ct: fix setting of NFT_EXPR_CT_DIRArturo Borrero Gonzalez2013-07-041-1/+1
| | | | | Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support JSON format in chain, rule and expressionsÁlvaro Neira Ayuso2013-06-2920-42/+401
| | | | | | | While at it, order possible switch cases of _snprintf. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: rename type node to exthdr_typeArturo Borrero Gonzalez2013-06-271-3/+5
| | | | | | | This patch renames the <type> node in the exthdr expr to <exthdr_type>. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: rename node type to nat_typeArturo Borrero Gonzalez2013-06-271-4/+4
| | | | | | | | | This patch renames the node <type> to a more explicit <nat_type>. This will prevent in the future from confusing other <type> nodes from other exprs. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: snprintf: fix buffer offsetArturo Borrero Gonzalez2013-06-271-3/+3
| | | | | | | This patch fix the buffer offset necesary to print correctly the nat expr in a default output mode. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: xml: use string to represent key attributeArturo Borrero Gonzalez2013-06-271-5/+49
| | | | | | | Use a string for <key> node instead of a number. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: use string for type nodeArturo Borrero Gonzalez2013-06-271-5/+47
| | | | | | | This patch implements using a string for the <type> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: xml: use string for base attributeArturo Borrero Gonzalez2013-06-271-9/+46
| | | | | | | This patch implements using a string instead of a number for the <base> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* target&match: xml: don't print rev numberArturo Borrero Gonzalez2013-06-272-36/+2
| | | | | | | | The <rev> node is not printed/parsed anymore. It should not be exported, this is negotiated with the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: xml: display register in big endianArturo Borrero Gonzalez2013-06-271-3/+5
| | | | | | | | | | Display registers in big endian, so the output will be the same in different endianness CPU. <data>0xaabbccdd</data> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: xml: fix len node, it should show byte lengthArturo Borrero Gonzalez2013-06-271-7/+6
| | | | | | | | Previous to this patch, the <len> node was 'how many <dataN> nodes we have'. However, the <len> node means 'how many bytes are in <dataN> nodes'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: xml: use string for policyArturo Borrero Gonzalez2013-06-271-16/+35
| | | | | | | Now the <policy> node is using "accept" or "drop". Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: xml: fix mandatory elementsArturo Borrero Gonzalez2013-06-271-40/+55
| | | | | | | | | | | | | | | | According to net/netfilter/nft_exthdr.c: nft_exthdr_init(), all of dreg, type, offset and len are mandatory: if (tb[NFTA_EXTHDR_DREG] == NULL || tb[NFTA_EXTHDR_TYPE] == NULL || tb[NFTA_EXTHDR_OFFSET] == NULL || tb[NFTA_EXTHDR_LEN] == NULL) return -EINVAL; So the XML parser must make sure the equivalent nodes exists. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: xml: use key names instead of numbersArturo Borrero Gonzalez2013-06-271-7/+48
| | | | | | | ct expr uses a string instead of a numerical one in the <key> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: xml: add extra dir checkArturo Borrero Gonzalez2013-06-271-0/+6
| | | | | | | | | | | | | This patch adds an extra dir check. 0 means original. 1 means a reply. Pablo decided not to include nf_conntrack_tuple_common.h, instead internally defined them. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: fix node names for sreg_addr_{min|max}Arturo Borrero Gonzalez2013-06-271-6/+6
| | | | | | | | | This patch changes the name of XML nodes from <sreg_addr_min_v4> to <sreg_addr_min>, and <sreg_addr_max_v4> to <sreg_addr_max>, as they are register numbers, not addresses, so they are protocol independent. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: change nat types string to dnat/snatArturo Borrero Gonzalez2013-06-271-14/+11
| | | | | | | | This patch replaces the string NFT_NAT_{S|D}NAT with {s|d}nat in the <type> node. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: xml: convert family values to stringArturo Borrero2013-06-277-40/+93
| | | | | | | | | | | | This patch translates family values to display a string: * ip if AF_INET * ip6 if AF_INET6 * bridge if AF_BRIDGE * arp if 0 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add hooknum2strArturo Borrero Gonzalez2013-06-271-9/+27
| | | | | | | | | This patch translates the Netfilter hooknumber to a readable string. Useful for printing and parsing in XML and JSON formats. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* byteorder: xml: op as stringArturo Borrero2013-06-271-7/+16
| | | | | | This patch changes the numerical value of the XML byteorder's <op> node to a string representation. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* expr: xml: registers must be <= NFT_REG_MAXArturo Borrero Gonzalez2013-06-279-0/+54
| | | | | | | With this patch, all expressions validate that registers are <= NFT_REG_MAX. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: xml: mask and xor use same number of data registersArturo Borrero Gonzalez2013-06-271-0/+8
| | | | | | | The mask and xor must use the same number of data registers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: xml: conditional display of compat infoArturo Borrero Gonzalez2013-06-271-29/+30
| | | | | | | | The compat XML info is now conditional both when printing and parsing. It is only used by iptables-nftables. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add nft_set_elem_attr_set_strPablo Neira Ayuso2013-06-211-0/+6
| | | | | | | It was not implemented, it was defined in the header anf map files though. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nft_rule_expr_snprintfPablo Neira Ayuso2013-06-193-2/+16
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix nft_set_elem_attr_get with NFT_SET_ELEM_ATTR_CHAINPablo Neira Ayuso2013-06-191-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix wrong flags setting in nft_set_elems_parse2Pablo Neira Ayuso2013-06-191-3/+4
| | | | | | Set element object flags instead of set flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add missing set/unset support for NFT_SET_ATTR_DATA_[TYPE|LEN]Pablo Neira Ayuso2013-06-192-2/+10
| | | | | | While at it, use fixed length uint32_t instead of size_t. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: xml: don't print target and match infoArturo Borrero2013-06-182-22/+2
| | | | | | | | This is binary layout of the iptables target/match, we can do nothing with it at this moment. Let's get rid of it. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: xml: delete trailing spaceArturo Borrero2013-06-171-1/+1
| | | | | | | This patch fixes a trailing space in rule xml_snprintf. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: fix crash during parsing if non-mandatory element is not presentArturo Borrero Gonzalez2013-06-171-4/+4
| | | | | Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: xml: fix wrong offset in snprintfArturo Borrero2013-06-171-4/+6
| | | | | | | | This patch fixes the buffer offset of the nat snprintf function so elements are properly printed. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: bitwise: xml: fix wrong castingArturo Borrero2013-06-171-1/+1
| | | | | | | Introduced in (51370f0 src: add support for XML parsing) Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix nft_set_attr_get with NFT_SET_ATTR_KEY_FLAGSPablo Neira Ayuso2013-06-171-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix wrong flags set for NFT_SET_ELEM_ATTR_FLAGSPablo Neira Ayuso2013-06-171-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: set NFT_*_ATTR_FAMILY in nft_*_parse functionPablo Neira Ayuso2013-06-173-0/+8
| | | | | | This attribute was not approapriately set in most cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: fix nft_chain_attr_set_strPablo Neira Ayuso2013-06-171-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify first parameter of all nft_*_getPablo Neira Ayuso2013-06-1718-26/+37
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add NFT_SET_ATTR_FAMILYPablo Neira Ayuso2013-06-172-0/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_attr_is_setPablo Neira Ayuso2013-06-177-0/+42
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_foreachPablo Neira Ayuso2013-06-176-0/+103
| | | | | | This patch adds a simplied iterator interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add limitPablo Neira Ayuso2013-06-133-0/+216
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add byteorderPablo Neira Ayuso2013-06-123-0/+351
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>