From 4d6045630bb90182abf553df1b7f2764a24620b0 Mon Sep 17 00:00:00 2001
From: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Date: Wed, 22 May 2013 00:33:25 +0000
Subject: examples: XML parsing examples

Some code snipplets to add tables/chain/rules using the XML representation.

The examples contains:
 * A binary to parse/add the object using libnftables.
 * A shellscript to easily call that binary, doing some tests.
 * table/chain/rule sample XML file.

I included my name in new files, but I don't know if this is correct. Please let me know.

Instructions:
 $ cd examples/ ; make nft-table-xml-add
 # cd test/ ; ./nft-table-xml-add.sh

NOTE: Some kernel changes are required to allow reinsert exactly what is printed (handle handling, flags..)

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 test/nft-chain-xml-add.sh | 123 ++++++++++++++++++++++++++++++++++++++++++
 test/nft-rule-xml-add.sh  | 132 ++++++++++++++++++++++++++++++++++++++++++++++
 test/nft-table-xml-add.sh |  75 ++++++++++++++++++++++++++
 3 files changed, 330 insertions(+)
 create mode 100755 test/nft-chain-xml-add.sh
 create mode 100755 test/nft-rule-xml-add.sh
 create mode 100755 test/nft-table-xml-add.sh

(limited to 'test')

diff --git a/test/nft-chain-xml-add.sh b/test/nft-chain-xml-add.sh
new file mode 100755
index 0000000..d1bd839
--- /dev/null
+++ b/test/nft-chain-xml-add.sh
@@ -0,0 +1,123 @@
+#!/bin/bash
+
+#
+# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+
+# This is a small testbench for adding nftables chains to kernel
+# in XML format.
+
+BINARY="../examples/nft-chain-xml-add"
+NFT=$( which nft )
+MKTEMP=$( which mktemp)
+TMPFILE=$( $MKTEMP )
+
+if [ ! -x "$BINARY" ] ; then
+	echo "E: Binary not found $BINARY"
+	exit 1
+fi
+
+if [ ! -x "$MKTEMP" ] ; then
+	echo "E: mktemp not found and is neccesary"
+	exit 1
+fi
+
+if [ ! -w "$TMPFILE" ] ; then
+	echo "E: Unable to create temp file via mktemp"
+	exit 1
+fi
+
+[ ! -x "$NFT" ] && echo "W: nftables main binary not found but continuing anyway $NFT"
+
+XML="<chain name=\"test1\" handle=\"100\" bytes=\"123\" packets=\"321\" version=\"0\">
+        <properties>
+                <type>filter</type>
+                <table>filter</table>
+                <prio>0</prio>
+                <use>0</use>
+                <hooknum>2</hooknum>
+                <policy>1</policy>
+                <family>2</family>
+        </properties>
+</chain>"
+
+$NFT delete chain ip filter test1 2>/dev/null >&2
+echo $XML > $TMPFILE
+if ! $BINARY "$TMPFILE" ; then
+	echo "E: Unable to add XML:"
+	echo "$XML"
+	exit 1
+fi
+
+# This is valid (as long as the table exist)
+XML="<chain name=\"test2\" handle=\"101\" bytes=\"59\" packets=\"1\" version=\"0\">
+	<properties>
+		<type>filter</type>
+		<table>filter</table>
+		<prio>1</prio>
+		<use>0</use>
+		<hooknum>4</hooknum>
+		<policy>1</policy>
+		<family>10</family>
+	</properties>
+</chain>"
+
+$NFT delete chain ip6 filter test2 2>/dev/null >&2
+echo $XML > $TMPFILE
+if ! $BINARY "$TMPFILE" ; then
+	echo "E: Unable to add XML:"
+	echo "$XML"
+	rm -rf $TMPFILE 2>/dev/null
+	exit 1
+fi
+
+# This is valid (as long as the table exist)
+XML="<chain name=\"test3\" handle=\"102\" bytes=\"51231239\" packets=\"1123123123\" version=\"0\">
+	<properties>
+		<type>filter</type>
+		<table>filter</table>
+		<prio>0</prio>
+		<use>0</use>
+		<hooknum>4</hooknum>
+		<policy>1</policy>
+		<family>2</family>
+	</properties>
+</chain>"
+
+$NFT delete chain ip6 filter test3 2>/dev/null >&2
+echo $XML > $TMPFILE
+if ! $BINARY "$TMPFILE" ; then
+	echo "E: Unable to add XML:"
+	echo "$XML"
+	rm -rf $TMPFILE 2>/dev/null
+	exit 1
+fi
+
+# This is invalid
+XML="<chain name=\"XXXX\" handle=\"XXXX\" bytes=\"XXXXXXX\" packets=\"XXXXXXX\" >
+		<properties>
+			<flags>asdasd</flags>
+			<type>filter</type>
+			<table>filter</table>
+			<prio>asdasd</prio>
+			<use>asdasd</use>
+			<hooknum>asdasd</hooknum>
+			<policy>asdasd</policy>
+			<family>asdasd</family>
+		</properties>
+	</chain>"
+
+if $BINARY "$XML" 2>/dev/null; then
+	echo "E: Accepted invalid XML:"
+	echo "$XML"
+	rm -rf $TMPFILE 2>/dev/null
+	exit 1
+fi
+
+rm -rf $TMPFILE 2>/dev/null
+echo "I: Test OK"
diff --git a/test/nft-rule-xml-add.sh b/test/nft-rule-xml-add.sh
new file mode 100755
index 0000000..426b975
--- /dev/null
+++ b/test/nft-rule-xml-add.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+
+#
+# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# This is a small testbench for adding nftables rules to kernel
+# in XML format.
+
+BINARY="../examples/nft-rule-xml-add"
+NFT="$( which nft )"
+MKTEMP="$( which mktemp )"
+TMPFILE="$( $MKTEMP )"
+
+if [ ! -x "$BINARY" ] ; then
+	echo "E: Binary not found $BINARY"
+	exit 1
+fi
+
+if [ ! -x "$MKTEMP" ] ; then
+	echo "E: mktemp not found. Is mandatory."
+	exit 1
+fi
+
+if [ ! -w "$TMPFILE" ] ; then
+	echo "E: Unable to create tempfile with mktemp"
+	exit 1
+fi
+
+[ ! -x "$NFT" ] && echo "W: nftables main binary not found but continuing anyway $NFT"
+
+XML="<rule family=\"2\" table=\"filter\" chain=\"INPUT\" handle=\"100\" version=\"0\">
+  <rule_flags>0</rule_flags>
+  <flags>127</flags>
+  <compat_flags>0</compat_flags>
+  <compat_proto>0</compat_proto>
+  <expr type=\"meta\">
+    <dreg>1</dreg>
+    <key>4</key>
+  </expr>
+  <expr type=\"cmp\">
+    <sreg>1</sreg>
+    <op>eq</op>
+    <cmpdata>
+      <data_reg type=\"value\">
+        <len>1</len>
+        <data0>0x04000000</data0>
+      </data_reg>
+    </cmpdata>
+  </expr>
+  <expr type=\"payload\">
+    <dreg>1</dreg>
+    <base>1</base>
+    <offset>12</offset>
+    <len>4</len>
+  </expr>
+  <expr type=\"cmp\">
+    <sreg>1</sreg>
+    <op>eq</op>
+    <cmpdata>
+      <data_reg type=\"value\">
+        <len>1</len>
+        <data0>0x96d60496</data0>
+      </data_reg>
+    </cmpdata>
+  </expr>
+  <expr type=\"payload\">
+    <dreg>1</dreg>
+    <base>1</base>
+    <offset>16</offset>
+    <len>4</len>
+  </expr>
+  <expr type=\"cmp\">
+    <sreg>1</sreg>
+    <op>eq</op>
+    <cmpdata>
+      <data_reg type=\"value\">
+        <len>1</len>
+        <data0>0x96d60329</data0>
+      </data_reg>
+    </cmpdata>
+  </expr>
+  <expr type=\"payload\">
+    <dreg>1</dreg>
+    <base>1</base>
+    <offset>9</offset>
+    <len>1</len>
+  </expr>
+  <expr type=\"cmp\">
+    <sreg>1</sreg>
+    <op>eq</op>
+    <cmpdata>
+      <data_reg type=\"value\">
+        <len>1</len>
+        <data0>0x06000000</data0>
+      </data_reg>
+    </cmpdata>
+  </expr>
+  <expr type=\"match\">
+    <name>state</name>
+    <rev>0</rev>
+    <info>
+    </info>
+  </expr>
+  <expr type=\"counter\">
+    <pkts>123123</pkts>
+    <bytes>321321</bytes>
+  </expr>
+  <expr type=\"target\">
+    <name>LOG</name>
+    <rev>0</rev>
+    <info>
+    </info>
+  </expr>
+</rule>"
+
+$NFT add table filter 2>/dev/null >&2
+$NFT add chain filter INPUT 2>/dev/null >&2
+
+echo $XML > $TMPFILE
+if ! $BINARY "$TMPFILE" ; then
+	echo "E: Unable to add XML."
+	rm -rf $TMPFILE 2>/dev/null
+	exit 1
+fi
+
+rm -rf $TMPFILE 2>/dev/null
+echo "I: Test OK"
diff --git a/test/nft-table-xml-add.sh b/test/nft-table-xml-add.sh
new file mode 100755
index 0000000..2c55edc
--- /dev/null
+++ b/test/nft-table-xml-add.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+#
+# (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+
+# This is a small testbench for adding nftables tables to kernel
+# in XML format.
+
+BINARY="../examples/nft-table-xml-add"
+NFT="$( which nft )"
+MKTEMP="$( which mktemp)"
+TMPFILE="$( $MKTEMP )"
+
+if [ ! -x "$BINARY" ] ; then
+	echo "E: Binary not found $BINARY"
+	exit 1
+fi
+
+if [ ! -x "$MKTEMP" ] ; then
+	echo "E: mktemp not found and is neccesary"
+	exit 1
+fi
+
+if [ ! -w "$TMPFILE" ] ; then
+	echo "E: Unable to create temp file via mktemp"
+	exit 1
+fi
+
+
+if [ ! -x "$NFT" ] ; then
+	echo "W: nftables main binary not found but continuing anyway $NFT"
+fi
+
+# This is valid
+XML="<table name=\"filter_test\" version=\"0\">
+	<properties>
+		<family>2</family>
+		<table_flags>0</table_flags>
+	</properties>
+</table>"
+
+$NFT delete table filter_test 2>/dev/null >&2
+echo $XML > $TMPFILE
+if ! $BINARY "$TMPFILE" ; then
+	echo "E: Unable to add XML:"
+	echo "$XML"
+	rm -rf $TMPFILE 2>/dev/null
+	exit 1
+fi
+
+# This is valid
+XML="<table name=\"filter6_test\" version=\"0\">
+	<properties>
+		<family>10</family>
+		<table_flags>0</table_flags>
+	</properties>
+</table>"
+
+$NFT delete table filter6_test 2>/dev/null >&2
+echo $XML > $TMPFILE
+if ! $BINARY "$TMPFILE" ; then
+	echo "E: Unable to add XML:"
+	echo "$XML"
+	rm -rf $TMPFILE 2>/dev/null
+	exit 1
+fi
+
+rm -rf $TMPFILE 2>/dev/null
+echo "I: Test OK"
-- 
cgit v1.2.3