diff options
| author | Florian Westphal <fw@strlen.de> | 2025-03-31 16:47:11 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-07-29 02:38:27 +0200 |
| commit | 18591a8d7fb769041da57fefb7e335b7ac5a8afa (patch) | |
| tree | d9bbef102ca96b9f2026d20f4bfb9438b1b58387 | |
| parent | 801a06aece44d4954df03bd0e61c3e2e9ee557e9 (diff) | |
json: work around fuzzer-induced assert crashes
commit 18c24d89b9977ddc0900be64fe9e95e7ac1ce896 upstream.
fuzzer can cause assert failures due to json_pack() returning a NULL
value and therefore triggering the assert(out) in __json_pack macro.
All instances I saw are due to invalid UTF-8 strings, i.e., table/chain
names with non-text characters in them.
Work around this for now, replace the assert with a plaintext error
message and return NULL instead of abort().
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | src/json.c | 261 |
1 files changed, 135 insertions, 126 deletions
@@ -24,14 +24,23 @@ #include <jansson.h> #include <syslog.h> -#ifdef DEBUG -#define __json_pack json_pack -#define json_pack(...) ({ \ - json_t *__out = __json_pack(__VA_ARGS__); \ - assert(__out); \ - __out; \ -}) -#endif +static json_t *__nft_json_pack(unsigned int line, const char *fmt, ...) +{ + json_error_t error; + json_t *value; + va_list ap; + + va_start(ap, fmt); + value = json_vpack_ex(&error, 0, fmt, ap); + va_end(ap); + + if (value) + return value; + + fprintf(stderr, "%s:%d: json_pack failure (%s)\n", __FILE__, line, error.text); + return NULL; +} +#define nft_json_pack(...) __nft_json_pack(__LINE__, __VA_ARGS__) static int json_array_extend_new(json_t *array, json_t *other_array) { @@ -63,7 +72,7 @@ static json_t *expr_print_json(const struct expr *expr, struct output_ctx *octx) fclose(octx->output_fp); octx->output_fp = fp; - return json_pack("s", buf); + return nft_json_pack("s", buf); } static json_t *set_dtype_json(const struct expr *key) @@ -77,7 +86,7 @@ static json_t *set_dtype_json(const struct expr *key) if (!root) root = jtok; else if (json_is_string(root)) - root = json_pack("[o, o]", root, jtok); + root = nft_json_pack("[o, o]", root, jtok); else json_array_append_new(root, jtok); tok = strtok(NULL, " ."); @@ -94,7 +103,7 @@ static json_t *set_key_dtype_json(const struct set *set, if (!use_typeof) return set_dtype_json(set->key); - return json_pack("{s:o}", "typeof", expr_print_json(set->key, octx)); + return nft_json_pack("{s:o}", "typeof", expr_print_json(set->key, octx)); } static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) @@ -116,7 +125,7 @@ static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) fclose(octx->output_fp); octx->output_fp = fp; - return json_pack("s", buf); + return nft_json_pack("s", buf); } static json_t *set_stmt_list_json(const struct list_head *stmt_list, @@ -155,7 +164,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) type = "set"; } - root = json_pack("{s:s, s:s, s:s, s:o, s:I}", + root = nft_json_pack("{s:s, s:s, s:s, s:o, s:I}", "family", family2str(set->handle.family), "name", set->handle.set.name, "table", set->handle.table.name, @@ -169,24 +178,24 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) if (!(set->flags & (NFT_SET_CONSTANT))) { if (set->policy != NFT_SET_POL_PERFORMANCE) { - tmp = json_pack("s", set_policy2str(set->policy)); + tmp = nft_json_pack("s", set_policy2str(set->policy)); json_object_set_new(root, "policy", tmp); } if (set->desc.size) { - tmp = json_pack("i", set->desc.size); + tmp = nft_json_pack("i", set->desc.size); json_object_set_new(root, "size", tmp); } } tmp = json_array(); if (set->flags & NFT_SET_CONSTANT) - json_array_append_new(tmp, json_pack("s", "constant")); + json_array_append_new(tmp, nft_json_pack("s", "constant")); if (set->flags & NFT_SET_INTERVAL) - json_array_append_new(tmp, json_pack("s", "interval")); + json_array_append_new(tmp, nft_json_pack("s", "interval")); if (set->flags & NFT_SET_TIMEOUT) - json_array_append_new(tmp, json_pack("s", "timeout")); + json_array_append_new(tmp, nft_json_pack("s", "timeout")); if (set->flags & NFT_SET_EVAL) - json_array_append_new(tmp, json_pack("s", "dynamic")); + json_array_append_new(tmp, nft_json_pack("s", "dynamic")); if (json_array_size(tmp) > 0) { json_object_set_new(root, "flags", tmp); @@ -201,7 +210,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) json_object_set_new(root, "timeout", tmp); } if (set->gc_int) { - tmp = json_pack("i", set->gc_int / 1000); + tmp = nft_json_pack("i", set->gc_int / 1000); json_object_set_new(root, "gc-interval", tmp); } if (set->automerge) @@ -222,7 +231,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) set_stmt_list_json(&set->stmt_list, octx)); } - return json_pack("{s:o}", type, root); + return nft_json_pack("{s:o}", type, root); } /* XXX: Merge with set_print_json()? */ @@ -231,7 +240,7 @@ static json_t *element_print_json(struct output_ctx *octx, { json_t *root = expr_print_json(set->init, octx); - return json_pack("{s: {s:s, s:s, s:s, s:o}}", "element", + return nft_json_pack("{s: {s:s, s:s, s:s, s:o}}", "element", "family", family2str(set->handle.family), "table", set->handle.table.name, "name", set->handle.set.name, @@ -244,7 +253,7 @@ static json_t *rule_print_json(struct output_ctx *octx, const struct stmt *stmt; json_t *root, *tmp; - root = json_pack("{s:s, s:s, s:s, s:I}", + root = nft_json_pack("{s:s, s:s, s:s, s:I}", "family", family2str(rule->handle.family), "table", rule->handle.table.name, "chain", rule->handle.chain.name, @@ -264,7 +273,7 @@ static json_t *rule_print_json(struct output_ctx *octx, json_decref(tmp); } - return json_pack("{s:o}", "rule", root); + return nft_json_pack("{s:o}", "rule", root); } static json_t *chain_print_json(const struct chain *chain) @@ -272,7 +281,7 @@ static json_t *chain_print_json(const struct chain *chain) json_t *root, *tmp, *devs = NULL; int priority, policy, i; - root = json_pack("{s:s, s:s, s:s, s:I}", + root = nft_json_pack("{s:s, s:s, s:s, s:I}", "family", family2str(chain->handle.family), "table", chain->handle.table.name, "name", chain->handle.chain.name, @@ -292,7 +301,7 @@ static json_t *chain_print_json(const struct chain *chain) policy = NF_ACCEPT; } - tmp = json_pack("{s:s, s:s, s:i, s:s}", + tmp = nft_json_pack("{s:s, s:s, s:i, s:s}", "type", chain->type.str, "hook", hooknum2str(chain->handle.family, chain->hook.num), @@ -304,7 +313,7 @@ static json_t *chain_print_json(const struct chain *chain) if (!devs) devs = json_string(dev); else if (json_is_string(devs)) - devs = json_pack("[o, s]", devs, dev); + devs = nft_json_pack("[o, s]", devs, dev); else json_array_append_new(devs, json_string(dev)); } @@ -315,7 +324,7 @@ static json_t *chain_print_json(const struct chain *chain) json_decref(tmp); } - return json_pack("{s:o}", "chain", root); + return nft_json_pack("{s:o}", "chain", root); } static json_t *proto_name_json(uint8_t proto) @@ -351,28 +360,28 @@ static json_t *obj_print_json(const struct obj *obj) json_t *root, *tmp, *flags; uint64_t rate, burst; - root = json_pack("{s:s, s:s, s:s, s:I}", + root = nft_json_pack("{s:s, s:s, s:s, s:I}", "family", family2str(obj->handle.family), "name", obj->handle.obj.name, "table", obj->handle.table.name, "handle", obj->handle.handle.id); if (obj->comment) { - tmp = json_pack("{s:s}", "comment", obj->comment); + tmp = nft_json_pack("{s:s}", "comment", obj->comment); json_object_update(root, tmp); json_decref(tmp); } switch (obj->type) { case NFT_OBJECT_COUNTER: - tmp = json_pack("{s:I, s:I}", + tmp = nft_json_pack("{s:I, s:I}", "packets", obj->counter.packets, "bytes", obj->counter.bytes); json_object_update(root, tmp); json_decref(tmp); break; case NFT_OBJECT_QUOTA: - tmp = json_pack("{s:I, s:I, s:b}", + tmp = nft_json_pack("{s:I, s:I, s:b}", "bytes", obj->quota.bytes, "used", obj->quota.used, "inv", obj->quota.flags & NFT_QUOTA_F_INV); @@ -380,13 +389,13 @@ static json_t *obj_print_json(const struct obj *obj) json_decref(tmp); break; case NFT_OBJECT_SECMARK: - tmp = json_pack("{s:s}", + tmp = nft_json_pack("{s:s}", "context", obj->secmark.ctx); json_object_update(root, tmp); json_decref(tmp); break; case NFT_OBJECT_CT_HELPER: - tmp = json_pack("{s:s, s:o, s:s}", + tmp = nft_json_pack("{s:s, s:o, s:s}", "type", obj->ct_helper.name, "protocol", proto_name_json(obj->ct_helper.l4proto), "l3proto", family2str(obj->ct_helper.l3proto)); @@ -396,7 +405,7 @@ static json_t *obj_print_json(const struct obj *obj) case NFT_OBJECT_CT_TIMEOUT: tmp = timeout_policy_json(obj->ct_timeout.l4proto, obj->ct_timeout.timeout); - tmp = json_pack("{s:o, s:s, s:o}", + tmp = nft_json_pack("{s:o, s:s, s:o}", "protocol", proto_name_json(obj->ct_timeout.l4proto), "l3proto", family2str(obj->ct_timeout.l3proto), @@ -405,7 +414,7 @@ static json_t *obj_print_json(const struct obj *obj) json_decref(tmp); break; case NFT_OBJECT_CT_EXPECT: - tmp = json_pack("{s:o, s:I, s:I, s:I, s:s}", + tmp = nft_json_pack("{s:o, s:I, s:I, s:I, s:s}", "protocol", proto_name_json(obj->ct_expect.l4proto), "dport", obj->ct_expect.dport, @@ -424,7 +433,7 @@ static json_t *obj_print_json(const struct obj *obj) burst_unit = get_rate(obj->limit.burst, &burst); } - tmp = json_pack("{s:I, s:s}", + tmp = nft_json_pack("{s:I, s:s}", "rate", rate, "per", get_unit(obj->limit.unit)); @@ -445,9 +454,9 @@ static json_t *obj_print_json(const struct obj *obj) break; case NFT_OBJECT_SYNPROXY: flags = json_array(); - tmp = json_pack("{s:i, s:i}", - "mss", obj->synproxy.mss, - "wscale", obj->synproxy.wscale); + tmp = nft_json_pack("{s:i, s:i}", + "mss", obj->synproxy.mss, + "wscale", obj->synproxy.wscale); if (obj->synproxy.flags & NF_SYNPROXY_OPT_TIMESTAMP) json_array_append_new(flags, json_string("timestamp")); if (obj->synproxy.flags & NF_SYNPROXY_OPT_SACK_PERM) @@ -463,7 +472,7 @@ static json_t *obj_print_json(const struct obj *obj) break; } - return json_pack("{s:o}", type, root); + return nft_json_pack("{s:o}", type, root); } static json_t *flowtable_print_json(const struct flowtable *ftable) @@ -476,7 +485,7 @@ static json_t *flowtable_print_json(const struct flowtable *ftable) BYTEORDER_HOST_ENDIAN, sizeof(int)); } - root = json_pack("{s:s, s:s, s:s, s:I, s:s, s:i}", + root = nft_json_pack("{s:s, s:s, s:s, s:I, s:s, s:i}", "family", family2str(ftable->handle.family), "name", ftable->handle.flowtable.name, "table", ftable->handle.table.name, @@ -489,14 +498,14 @@ static json_t *flowtable_print_json(const struct flowtable *ftable) if (!devs) devs = json_string(dev); else if (json_is_string(devs)) - devs = json_pack("[o, s]", devs, dev); + devs = nft_json_pack("[o, s]", devs, dev); else json_array_append_new(devs, json_string(dev)); } if (devs) json_object_set_new(root, "dev", devs); - return json_pack("{s:o}", "flowtable", root); + return nft_json_pack("{s:o}", "flowtable", root); } static json_t *table_flags_json(const struct table *table) @@ -530,7 +539,7 @@ static json_t *table_print_json(const struct table *table) { json_t *root, *tmp; - root = json_pack("{s:s, s:s, s:I}", + root = nft_json_pack("{s:s, s:s, s:I}", "family", family2str(table->handle.family), "name", table->handle.table.name, "handle", table->handle.handle.id); @@ -542,7 +551,7 @@ static json_t *table_print_json(const struct table *table) if (table->comment) json_object_set_new(root, "comment", json_string(table->comment)); - return json_pack("{s:o}", "table", root); + return nft_json_pack("{s:o}", "table", root); } json_t *flagcmp_expr_json(const struct expr *expr, struct output_ctx *octx) @@ -577,13 +586,13 @@ __binop_expr_json(int op, const struct expr *expr, struct output_ctx *octx) json_t *binop_expr_json(const struct expr *expr, struct output_ctx *octx) { - return json_pack("{s:o}", expr_op_symbols[expr->op], + return nft_json_pack("{s:o}", expr_op_symbols[expr->op], __binop_expr_json(expr->op, expr, octx)); } json_t *relational_expr_json(const struct expr *expr, struct output_ctx *octx) { - return json_pack("{s:{s:s, s:o, s:o}}", "match", + return nft_json_pack("{s:{s:s, s:o, s:o}}", "match", "op", expr_op_symbols[expr->op] ? : "in", "left", expr_print_json(expr->left, octx), "right", expr_print_json(expr->right, octx)); @@ -596,7 +605,7 @@ json_t *range_expr_json(const struct expr *expr, struct output_ctx *octx) octx->flags &= ~NFT_CTX_OUTPUT_SERVICE; octx->flags |= NFT_CTX_OUTPUT_NUMERIC_PROTO; - root = json_pack("{s:[o, o]}", "range", + root = nft_json_pack("{s:[o, o]}", "range", expr_print_json(expr->left, octx), expr_print_json(expr->right, octx)); octx->flags = flags; @@ -606,7 +615,7 @@ json_t *range_expr_json(const struct expr *expr, struct output_ctx *octx) json_t *meta_expr_json(const struct expr *expr, struct output_ctx *octx) { - return json_pack("{s:{s:s}}", "meta", + return nft_json_pack("{s:{s:s}}", "meta", "key", meta_templates[expr->meta.key].token); } @@ -615,16 +624,16 @@ json_t *payload_expr_json(const struct expr *expr, struct output_ctx *octx) json_t *root; if (payload_is_known(expr)) - root = json_pack("{s:s, s:s}", + root = nft_json_pack("{s:s, s:s}", "protocol", expr->payload.desc->name, "field", expr->payload.tmpl->token); else - root = json_pack("{s:s, s:i, s:i}", + root = nft_json_pack("{s:s, s:i, s:i}", "base", proto_base_tokens[expr->payload.base], "offset", expr->payload.offset, "len", expr->len); - return json_pack("{s:o}", "payload", root); + return nft_json_pack("{s:o}", "payload", root); } json_t *ct_expr_json(const struct expr *expr, struct output_ctx *octx) @@ -633,7 +642,7 @@ json_t *ct_expr_json(const struct expr *expr, struct output_ctx *octx) enum nft_ct_keys key = expr->ct.key; json_t *root; - root = json_pack("{s:s}", "key", ct_templates[key].token); + root = nft_json_pack("{s:s}", "key", ct_templates[key].token); if (expr->ct.direction < 0) goto out; @@ -641,7 +650,7 @@ json_t *ct_expr_json(const struct expr *expr, struct output_ctx *octx) if (dirstr) json_object_set_new(root, "dir", json_string(dirstr)); out: - return json_pack("{s:o}", "ct", root); + return nft_json_pack("{s:o}", "ct", root); } json_t *concat_expr_json(const struct expr *expr, struct output_ctx *octx) @@ -652,7 +661,7 @@ json_t *concat_expr_json(const struct expr *expr, struct output_ctx *octx) list_for_each_entry(i, &expr->expressions, list) json_array_append_new(array, expr_print_json(i, octx)); - return json_pack("{s:o}", "concat", array); + return nft_json_pack("{s:o}", "concat", array); } json_t *set_expr_json(const struct expr *expr, struct output_ctx *octx) @@ -663,7 +672,7 @@ json_t *set_expr_json(const struct expr *expr, struct output_ctx *octx) list_for_each_entry(i, &expr->expressions, list) json_array_append_new(array, expr_print_json(i, octx)); - return json_pack("{s:o}", "set", array); + return nft_json_pack("{s:o}", "set", array); } json_t *set_ref_expr_json(const struct expr *expr, struct output_ctx *octx) @@ -671,7 +680,7 @@ json_t *set_ref_expr_json(const struct expr *expr, struct output_ctx *octx) if (set_is_anonymous(expr->set->flags)) { return expr_print_json(expr->set->init, octx); } else { - return json_pack("s+", "@", expr->set->handle.set.name); + return nft_json_pack("s+", "@", expr->set->handle.set.name); } } @@ -687,7 +696,7 @@ json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx) /* these element attributes require formal set elem syntax */ if (expr->timeout || expr->expiration || expr->comment || !list_empty(&expr->stmt_list)) { - root = json_pack("{s:o}", "val", root); + root = nft_json_pack("{s:o}", "val", root); if (expr->timeout) { tmp = json_integer(expr->timeout / 1000); @@ -709,7 +718,7 @@ json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx) /* TODO: only one statement per element. */ break; } - return json_pack("{s:o}", "elem", root); + return nft_json_pack("{s:o}", "elem", root); } return root; @@ -719,7 +728,7 @@ json_t *prefix_expr_json(const struct expr *expr, struct output_ctx *octx) { json_t *root = expr_print_json(expr->prefix, octx); - return json_pack("{s:{s:o, s:i}}", "prefix", + return nft_json_pack("{s:{s:o, s:i}}", "prefix", "addr", root, "len", expr->prefix_len); } @@ -732,7 +741,7 @@ json_t *list_expr_json(const struct expr *expr, struct output_ctx *octx) list_for_each_entry(i, &expr->expressions, list) json_array_append_new(array, expr_print_json(i, octx)); - //return json_pack("{s:s, s:o}", "type", "list", "val", array); + //return nft_json_pack("{s:s, s:o}", "type", "list", "val", array); return array; } @@ -743,7 +752,7 @@ json_t *unary_expr_json(const struct expr *expr, struct output_ctx *octx) json_t *mapping_expr_json(const struct expr *expr, struct output_ctx *octx) { - return json_pack("[o, o]", + return nft_json_pack("[o, o]", expr_print_json(expr->left, octx), expr_print_json(expr->right, octx)); } @@ -756,7 +765,7 @@ json_t *map_expr_json(const struct expr *expr, struct output_ctx *octx) expr->mappings->set->data->dtype->type == TYPE_VERDICT) type = "vmap"; - return json_pack("{s:{s:o, s:o}}", type, + return nft_json_pack("{s:{s:o, s:o}}", type, "key", expr_print_json(expr->map, octx), "data", expr_print_json(expr->mappings, octx)); } @@ -778,31 +787,31 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx) if (offset < 4) offstr = offstrs[offset]; - root = json_pack("{s:s+}", "name", desc, offstr); + root = nft_json_pack("{s:s+}", "name", desc, offstr); if (!is_exists) json_object_set_new(root, "field", json_string(field)); } else { - root = json_pack("{s:i, s:i, s:i}", + root = nft_json_pack("{s:i, s:i, s:i}", "base", expr->exthdr.raw_type, "offset", expr->exthdr.offset, "len", expr->len); } - return json_pack("{s:o}", "tcp option", root); + return nft_json_pack("{s:o}", "tcp option", root); } - root = json_pack("{s:s}", "name", desc); + root = nft_json_pack("{s:s}", "name", desc); if (!is_exists) json_object_set_new(root, "field", json_string(field)); switch (expr->exthdr.op) { case NFT_EXTHDR_OP_IPV4: - return json_pack("{s:o}", "ip option", root); + return nft_json_pack("{s:o}", "ip option", root); case NFT_EXTHDR_OP_SCTP: - return json_pack("{s:o}", "sctp chunk", root); + return nft_json_pack("{s:o}", "sctp chunk", root); default: - return json_pack("{s:o}", "exthdr", root); + return nft_json_pack("{s:o}", "exthdr", root); } } @@ -839,15 +848,15 @@ json_t *verdict_expr_json(const struct expr *expr, struct output_ctx *octx) return NULL; } if (chain) - return json_pack("{s:{s:o}}", name, "target", chain); + return nft_json_pack("{s:{s:o}}", name, "target", chain); else - return json_pack("{s:n}", name); + return nft_json_pack("{s:n}", name); } json_t *rt_expr_json(const struct expr *expr, struct output_ctx *octx) { const char *key = rt_templates[expr->rt.key].token; - json_t *root = json_pack("{s:s}", "key", key); + json_t *root = nft_json_pack("{s:s}", "key", key); const char *family = NULL; switch (expr->rt.key) { @@ -864,7 +873,7 @@ json_t *rt_expr_json(const struct expr *expr, struct output_ctx *octx) if (family) json_object_set_new(root, "family", json_string(family)); - return json_pack("{s:o}", "rt", root); + return nft_json_pack("{s:o}", "rt", root); } json_t *numgen_expr_json(const struct expr *expr, struct output_ctx *octx) @@ -883,7 +892,7 @@ json_t *numgen_expr_json(const struct expr *expr, struct output_ctx *octx) break; } - return json_pack("{s:{s:s, s:i, s:i}}", "numgen", + return nft_json_pack("{s:{s:s, s:i, s:i}}", "numgen", "mode", mode, "mod", expr->numgen.mod, "offset", expr->numgen.offset); @@ -905,7 +914,7 @@ json_t *hash_expr_json(const struct expr *expr, struct output_ctx *octx) break; } - root = json_pack("{s:i}", "mod", expr->hash.mod); + root = nft_json_pack("{s:i}", "mod", expr->hash.mod); if (expr->hash.seed_set) json_object_set_new(root, "seed", json_integer(expr->hash.seed)); @@ -915,7 +924,7 @@ json_t *hash_expr_json(const struct expr *expr, struct output_ctx *octx) if (jexpr) json_object_set_new(root, "expr", jexpr); - return json_pack("{s:o}", type, root); + return nft_json_pack("{s:o}", type, root); } json_t *fib_expr_json(const struct expr *expr, struct output_ctx *octx) @@ -924,7 +933,7 @@ json_t *fib_expr_json(const struct expr *expr, struct output_ctx *octx) unsigned int flags = expr->fib.flags & ~NFTA_FIB_F_PRESENT; json_t *root; - root = json_pack("{s:s}", "result", fib_result_str(expr->fib.result)); + root = nft_json_pack("{s:s}", "result", fib_result_str(expr->fib.result)); if (flags) { json_t *tmp = json_array(); @@ -940,7 +949,7 @@ json_t *fib_expr_json(const struct expr *expr, struct output_ctx *octx) json_array_append_new(tmp, json_integer(flags)); json_object_set_new(root, "flags", tmp); } - return json_pack("{s:o}", "fib", root); + return nft_json_pack("{s:o}", "fib", root); } static json_t *symbolic_constant_json(const struct symbol_table *tbl, @@ -1013,7 +1022,7 @@ json_t *constant_expr_json(const struct expr *expr, struct output_ctx *octx) json_t *socket_expr_json(const struct expr *expr, struct output_ctx *octx) { - return json_pack("{s:{s:s}}", "socket", "key", + return nft_json_pack("{s:{s:s}}", "socket", "key", socket_templates[expr->socket.key].token); } @@ -1022,9 +1031,9 @@ json_t *osf_expr_json(const struct expr *expr, struct output_ctx *octx) json_t *root; if (expr->osf.flags & NFT_OSF_F_VERSION) - root = json_pack("{s:s}", "key", "version"); + root = nft_json_pack("{s:s}", "key", "version"); else - root = json_pack("{s:s}", "key", "name"); + root = nft_json_pack("{s:s}", "key", "name"); switch (expr->osf.ttl) { case 1: @@ -1035,7 +1044,7 @@ json_t *osf_expr_json(const struct expr *expr, struct output_ctx *octx) break; } - return json_pack("{s:o}", "osf", root); + return nft_json_pack("{s:o}", "osf", root); } json_t *xfrm_expr_json(const struct expr *expr, struct output_ctx *octx) @@ -1072,7 +1081,7 @@ json_t *xfrm_expr_json(const struct expr *expr, struct output_ctx *octx) break; } - root = json_pack("{s:s}", "key", name); + root = nft_json_pack("{s:s}", "key", name); if (family) json_object_set_new(root, "family", json_string(family)); @@ -1080,7 +1089,7 @@ json_t *xfrm_expr_json(const struct expr *expr, struct output_ctx *octx) json_object_set_new(root, "dir", json_string(dirstr)); json_object_set_new(root, "spnum", json_integer(expr->xfrm.spnum)); - return json_pack("{s:o}", "ipsec", root); + return nft_json_pack("{s:o}", "ipsec", root); } json_t *integer_type_json(const struct expr *expr, struct output_ctx *octx) @@ -1203,21 +1212,21 @@ json_t *expr_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_t *flow_offload_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { - return json_pack("{s:{s:s, s:s+}}", "flow", + return nft_json_pack("{s:{s:s, s:s+}}", "flow", "op", "add", "flowtable", "@", stmt->flow.table_name); } json_t *payload_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { - return json_pack("{s: {s:o, s:o}}", "mangle", + return nft_json_pack("{s: {s:o, s:o}}", "mangle", "key", expr_print_json(stmt->payload.expr, octx), "value", expr_print_json(stmt->payload.val, octx)); } json_t *exthdr_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { - return json_pack("{s: {s:o, s:o}}", "mangle", + return nft_json_pack("{s: {s:o, s:o}}", "mangle", "key", expr_print_json(stmt->exthdr.expr, octx), "value", expr_print_json(stmt->exthdr.val, octx)); } @@ -1229,7 +1238,7 @@ json_t *quota_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_t *root; data_unit = get_rate(stmt->quota.bytes, &bytes); - root = json_pack("{s:I, s:s}", + root = nft_json_pack("{s:I, s:s}", "val", bytes, "val_unit", data_unit); @@ -1241,7 +1250,7 @@ json_t *quota_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_object_set_new(root, "used_unit", json_string(data_unit)); } - return json_pack("{s:o}", "quota", root); + return nft_json_pack("{s:o}", "quota", root); } json_t *ct_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1254,7 +1263,7 @@ json_t *ct_stmt_json(const struct stmt *stmt, struct output_ctx *octx) }, }; - return json_pack("{s:{s:o, s:o}}", "mangle", + return nft_json_pack("{s:{s:o, s:o}}", "mangle", "key", ct_expr_json(&expr, octx), "value", expr_print_json(stmt->ct.expr, octx)); } @@ -1272,7 +1281,7 @@ json_t *limit_stmt_json(const struct stmt *stmt, struct output_ctx *octx) burst_unit = get_rate(stmt->limit.burst, &burst); } - root = json_pack("{s:I, s:I, s:s}", + root = nft_json_pack("{s:I, s:I, s:s}", "rate", rate, "burst", burst, "per", get_unit(stmt->limit.unit)); @@ -1284,14 +1293,14 @@ json_t *limit_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_object_set_new(root, "burst_unit", json_string(burst_unit)); - return json_pack("{s:o}", "limit", root); + return nft_json_pack("{s:o}", "limit", root); } json_t *fwd_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { json_t *root, *tmp; - root = json_pack("{s:o}", "dev", expr_print_json(stmt->fwd.dev, octx)); + root = nft_json_pack("{s:o}", "dev", expr_print_json(stmt->fwd.dev, octx)); if (stmt->fwd.addr) { tmp = json_string(family2str(stmt->fwd.family)); @@ -1301,12 +1310,12 @@ json_t *fwd_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_object_set_new(root, "addr", tmp); } - return json_pack("{s:o}", "fwd", root); + return nft_json_pack("{s:o}", "fwd", root); } json_t *notrack_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { - return json_pack("{s:n}", "notrack"); + return nft_json_pack("{s:n}", "notrack"); } json_t *dup_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1314,27 +1323,27 @@ json_t *dup_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_t *root; if (stmt->dup.to) { - root = json_pack("{s:o}", "addr", expr_print_json(stmt->dup.to, octx)); + root = nft_json_pack("{s:o}", "addr", expr_print_json(stmt->dup.to, octx)); if (stmt->dup.dev) json_object_set_new(root, "dev", expr_print_json(stmt->dup.dev, octx)); } else { root = json_null(); } - return json_pack("{s:o}", "dup", root); + return nft_json_pack("{s:o}", "dup", root); } json_t *meta_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { json_t *root; - root = json_pack("{s:{s:s}}", "meta", + root = nft_json_pack("{s:{s:s}}", "meta", "key", meta_templates[stmt->meta.key].token); - root = json_pack("{s:o, s:o}", + root = nft_json_pack("{s:o, s:o}", "key", root, "value", expr_print_json(stmt->meta.expr, octx)); - return json_pack("{s:o}", "mangle", root); + return nft_json_pack("{s:o}", "mangle", root); } json_t *log_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1393,7 +1402,7 @@ json_t *log_stmt_json(const struct stmt *stmt, struct output_ctx *octx) root = json_null(); } - return json_pack("{s:o}", "log", root); + return nft_json_pack("{s:o}", "log", root); } static json_t *nat_flags_json(uint32_t flags) @@ -1467,7 +1476,7 @@ json_t *nat_stmt_json(const struct stmt *stmt, struct output_ctx *octx) root = json_null(); } - return json_pack("{s:o}", nat_etype2str(stmt->nat.type), root); + return nft_json_pack("{s:o}", nat_etype2str(stmt->nat.type), root); } json_t *reject_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1497,7 +1506,7 @@ json_t *reject_stmt_json(const struct stmt *stmt, struct output_ctx *octx) } if (!type && !jexpr) - return json_pack("{s:n}", "reject"); + return nft_json_pack("{s:n}", "reject"); root = json_object(); if (type) @@ -1505,15 +1514,15 @@ json_t *reject_stmt_json(const struct stmt *stmt, struct output_ctx *octx) if (jexpr) json_object_set_new(root, "expr", jexpr); - return json_pack("{s:o}", "reject", root); + return nft_json_pack("{s:o}", "reject", root); } json_t *counter_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { if (nft_output_stateless(octx)) - return json_pack("{s:n}", "counter"); + return nft_json_pack("{s:n}", "counter"); - return json_pack("{s:{s:I, s:I}}", "counter", + return nft_json_pack("{s:{s:I, s:I}}", "counter", "packets", stmt->counter.packets, "bytes", stmt->counter.bytes); } @@ -1522,7 +1531,7 @@ json_t *set_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { json_t *root; - root = json_pack("{s:s, s:o, s:s+}", + root = nft_json_pack("{s:s, s:o, s:s+}", "op", set_stmt_op_names[stmt->set.op], "elem", expr_print_json(stmt->set.key, octx), "set", "@", stmt->set.set->set->handle.set.name); @@ -1533,14 +1542,14 @@ json_t *set_stmt_json(const struct stmt *stmt, struct output_ctx *octx) octx)); } - return json_pack("{s:o}", "set", root); + return nft_json_pack("{s:o}", "set", root); } json_t *map_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { json_t *root; - root = json_pack("{s:s, s:o, s:o, s:s+}", + root = nft_json_pack("{s:s, s:o, s:o, s:s+}", "op", set_stmt_op_names[stmt->map.op], "elem", expr_print_json(stmt->map.key, octx), "data", expr_print_json(stmt->map.data, octx), @@ -1552,7 +1561,7 @@ json_t *map_stmt_json(const struct stmt *stmt, struct output_ctx *octx) octx)); } - return json_pack("{s:o}", "map", root); + return nft_json_pack("{s:o}", "map", root); } json_t *objref_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1564,7 +1573,7 @@ json_t *objref_stmt_json(const struct stmt *stmt, struct output_ctx *octx) else name = objref_type_name(stmt->objref.type); - return json_pack("{s:o}", name, expr_print_json(stmt->objref.expr, octx)); + return nft_json_pack("{s:o}", name, expr_print_json(stmt->objref.expr, octx)); } json_t *meter_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1576,7 +1585,7 @@ json_t *meter_stmt_json(const struct stmt *stmt, struct output_ctx *octx) tmp = stmt_print_json(stmt->meter.stmt, octx); octx->flags = flags; - root = json_pack("{s:o, s:o, s:i}", + root = nft_json_pack("{s:o, s:o, s:i}", "key", expr_print_json(stmt->meter.key, octx), "stmt", tmp, "size", stmt->meter.size); @@ -1585,7 +1594,7 @@ json_t *meter_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_object_set_new(root, "name", tmp); } - return json_pack("{s:o}", "meter", root); + return nft_json_pack("{s:o}", "meter", root); } json_t *queue_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1617,7 +1626,7 @@ json_t *queue_stmt_json(const struct stmt *stmt, struct output_ctx *octx) root = json_null(); } - return json_pack("{s:o}", "queue", root); + return nft_json_pack("{s:o}", "queue", root); } json_t *verdict_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1627,12 +1636,12 @@ json_t *verdict_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_t *connlimit_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { - json_t *root = json_pack("{s:i}", "val", stmt->connlimit.count); + json_t *root = nft_json_pack("{s:i}", "val", stmt->connlimit.count); if (stmt->connlimit.flags & NFT_CONNLIMIT_F_INV) json_object_set_new(root, "inv", json_true()); - return json_pack("{s:o}", "ct count", root); + return nft_json_pack("{s:o}", "ct count", root); } json_t *tproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1655,7 +1664,7 @@ json_t *tproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_object_set_new(root, "port", tmp); } - return json_pack("{s:o}", "tproxy", root); + return nft_json_pack("{s:o}", "tproxy", root); } json_t *synproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx) @@ -1683,12 +1692,12 @@ json_t *synproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx) root = json_null(); } - return json_pack("{s:o}", "synproxy", root); + return nft_json_pack("{s:o}", "synproxy", root); } json_t *optstrip_stmt_json(const struct stmt *stmt, struct output_ctx *octx) { - return json_pack("{s:o}", "reset", + return nft_json_pack("{s:o}", "reset", expr_print_json(stmt->optstrip.expr, octx)); } @@ -1700,7 +1709,7 @@ json_t *xt_stmt_json(const struct stmt *stmt, struct output_ctx *octx) [NFT_XT_WATCHER] = "watcher", }; - return json_pack("{s:{s:s, s:s}}", "xt", + return nft_json_pack("{s:{s:s, s:s}}", "xt", "type", xt_typename[stmt->xt.type], "name", stmt->xt.name); } @@ -1842,7 +1851,7 @@ static json_t *do_list_set_json(struct netlink_ctx *ctx, if (set == NULL) return json_null(); - return json_pack("[o]", set_print_json(&ctx->nft->output, set)); + return nft_json_pack("[o]", set_print_json(&ctx->nft->output, set)); } static json_t *do_list_sets_json(struct netlink_ctx *ctx, struct cmd *cmd) @@ -1940,7 +1949,7 @@ static json_t *do_list_flowtables_json(struct netlink_ctx *ctx, struct cmd *cmd) static json_t *generate_json_metainfo(void) { - return json_pack("{s: {s:s, s:s, s:i}}", "metainfo", + return nft_json_pack("{s: {s:s, s:s, s:i}}", "metainfo", "version", PACKAGE_VERSION, "release_name", RELEASE_NAME, "json_schema_version", JSON_SCHEMA_VERSION); @@ -2030,7 +2039,7 @@ int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd) json_array_insert_new(root, 0, generate_json_metainfo()); - root = json_pack("{s:o}", "nftables", root); + root = nft_json_pack("{s:o}", "nftables", root); json_dumpf(root, ctx->nft->output.output_fp, 0); json_decref(root); fprintf(ctx->nft->output.output_fp, "\n"); @@ -2043,7 +2052,7 @@ static void monitor_print_json(struct netlink_mon_handler *monh, { struct nft_ctx *nft = monh->ctx->nft; - obj = json_pack("{s:o}", cmd, obj); + obj = nft_json_pack("{s:o}", cmd, obj); if (nft_output_echo(&nft->output) && !nft->json_root) { json_array_append_new(nft->json_echo, obj); } else { |