summaryrefslogtreecommitdiffstats
path: root/py
Commit message (Collapse)AuthorAgeFilesLines
* py: add Nftables.{get,set}_input_flags() APIThomas Haller2023-08-241-0/+43
| | | | | | | | | | | | | | | Similar to the existing Nftables.{get,set}_debug() API. Only notable (internal) difference is that nft_ctx_input_set_flags() returns the old value already, so we don't need to call Nftables.get_input_flags() first. The benefit of this API, is that it follows the existing API for debug flags. Also, when future flags are added it requires few changes to the python code. Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: extract flags helper functions for set_debug()/get_debug()Thomas Haller2023-08-241-21/+31
| | | | | | | | | | | | | | | | | | | | | | | | | Will be re-used for nft_ctx_input_set_flags() and nft_ctx_input_get_flags(). There are changes in behavior here. - when passing an unrecognized string (e.g. `ctx.set_debug('foo')` or `ctx.set_debug(['foo'])`), a ValueError is now raised instead of a KeyError. - when passing an out-of-range integer, now a ValueError is no raised. Previously the integer was truncated to 32bit. Changing the exception is an API change, but most likely nobody will care or try to catch a KeyError to find out whether a flag is supported. Especially, since such a check would be better performed via `'foo' in ctx.debug_flags`. In other cases, a TypeError is raised as before. Signed-off-by: Thomas Haller <thaller@redhat.com> Reviewed-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: fix exception during cleanup of half-initialized NftablesThomas Haller2023-08-241-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we create a Nftables instance against an older library version, we might not find a symbol and fail with an exception when initializing the context object. Then, __del__() is still called, but resulting in a second exception because self.__ctx is not set. Avoid that second exception. $ python -c 'import nftables; nftables.Nftables()' Traceback (most recent call last): File "<string>", line 1, in <module> File "/data/src/nftables/py/nftables.py", line 90, in __init__ self.nft_ctx_input_get_flags = lib.nft_ctx_input_get_flags ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.11/ctypes/__init__.py", line 389, in __getattr__ func = self.__getitem__(name) ^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.11/ctypes/__init__.py", line 394, in __getitem__ func = self._FuncPtr((name_or_ordinal, self)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AttributeError: /lib64/libnftables.so.1: undefined symbol: nft_ctx_input_get_flags Exception ignored in: <function Nftables.__del__ at 0x7f6315a2c540> Traceback (most recent call last): File "/data/src/nftables/py/nftables.py", line 166, in __del__ self.nft_ctx_free(self.__ctx) ^^^^^^^^^^^^^^^^^ AttributeError: 'Nftables' object has no attribute 'nft_ctx_free' Signed-off-by: Thomas Haller <thaller@redhat.com> Reviewed-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: add pyproject.toml to support PEP-517-compatible build-systemsJeremy Sowden2023-08-032-1/+4
| | | | | | | | | | | | | This makes it possible to build and install the module without directly invoking setup.py which has been deprecated. Retain the setup.py script for backwards-compatibility. Update INSTALL to mention the new config-file. Link: https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: use setup.cfg to configure setuptoolsJeremy Sowden2023-08-033-22/+27
| | | | | | | | | | | | | | | | | | Setuptools has had support for declarative configuration for several years. To quote their documentation: Setuptools allows using configuration files (usually setup.cfg) to define a package’s metadata and other options that are normally supplied to the setup() function (declarative config). This approach not only allows automation scenarios but also reduces boilerplate code in some cases. Additionally, this allows us to introduce support for PEP-517-compatible build-systems. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: move package source into src directoryJeremy Sowden2023-08-035-2/+2
| | | | | | | | | Separate the actual package source from the build files. In addition to being a bit tidier, this will prevent setup.py being erroneously installed when we introduce PEP-517 support in a later commit. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: remove setup.py integration with autotoolsPablo Neira Ayuso2023-07-311-27/+0
| | | | | | | | | | | | | With Python distutils and setuptools going deprecated, remove integration with autotools. This integration is causing issues in modern environments. Note that setup.py is still left in place under the py/ folder. Update INSTALL file to refer to Python support and setup.py. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: return boolean value from Nftables.__[gs]et_output_flag()Thomas Haller2023-07-191-2/+2
| | | | | | | | | | | | | | | | | | The callers of __get_output_flag() and __set_output_flag(), for example get_reversedns_output(), are all documented to return a "boolean" value. Instead, they returned the underlying, non-zero flags value. That number is not obviously useful to the caller, because there is no API so that the caller could do anything with it (except evaluating it in a boolean context). Adjust that, to match the documentation. The alternative would be to update the documentation, to indicate that the functions return a non-zero integer when the flag is set. That would preserve the previous behavior and maybe the number could be useful somehow(?). Signed-off-by: Thomas Haller <thaller@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* py: replace distutils with setuptoolsJose M. Guisado Gomez2023-03-151-1/+1
| | | | | | | | | | | | | | | | | | Removes a deprecation warning when using distutils and python >=3.10. Python distutils module is formally marked as deprecated since python 3.10 and will be removed from the standard library from Python 3.12. (https://peps.python.org/pep-0632/) From https://setuptools.pypa.io/en/latest/setuptools.html """ Packages built and distributed using setuptools look to the user like ordinary Python packages based on the distutils. """ Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* py: support variables management and fix formattingFernando Fernandez Mancera2022-09-161-13/+30
| | | | | | | | | | | | | Add nft_ctx_add_var() and nft_ctx_clear_vars() support through add_var() and clear_vars(). Also, fix some functions documentation and drop unnecesary comments. In addition, modify get_dry_run() to return the previous value set. This is needed to be consistent with the rest of the python API. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1591 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: extend python API to support libnftables APIPeter Collinson2022-09-161-0/+82
| | | | | | | | | | | Allows py/nftables.py to support full mapping to the libnftables API. The changes allow python code to talk in text to the kernel rather than just using json. The Python API can now also use dry run to test changes. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1591 Signed-off-by: Peter Collinson <pc@hillside.co.uk> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: load the SONAME-versioned shared objectArturo Borrero Gonzalez2019-12-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Instruct the python module to load the SONAME versioned shared object. Normal end-user systems may only have available libnftables.so.1.0.0 and not libnftables.so which is usually only present in developer systems. In Debian systems, for example: % dpkg -L libnftables1 | grep so.1 /usr/lib/x86_64-linux-gnu/libnftables.so.1.0.0 /usr/lib/x86_64-linux-gnu/libnftables.so.1 % dpkg -L libnftables-dev | grep so /usr/lib/x86_64-linux-gnu/libnftables.so The "1" is not a magic number, is the SONAME of libnftables in the current version, as stated in Make_global.am. Reported-by: Michael Biebl <biebl@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: add missing output flags.Jeremy Sowden2019-10-241-0/+35
| | | | | | | | `terse` and `numeric_time` are missing from the `output_flags` dict. Add them and getters and setters for them. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: avoid unnecessary call to xargsJan Engelhardt2019-06-251-1/+1
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: avoid recursion into py/ if not selectedJan Engelhardt2019-06-251-3/+0
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: Implement JSON validation in nftables modulePhil Sutter2019-05-314-1/+47
| | | | | | | | | | | | Using jsonschema it is possible to validate any JSON input to make sure it formally conforms with libnftables JSON API requirements. Implement a simple validator class for use within a new Nftables class method 'json_validate' and ship a minimal schema definition along with the package. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: fix missing decode/encode of stringsEric Garver2019-05-121-0/+7
| | | | | | | | | When calling ffi functions, if the string is unicode we need to convert to utf-8. Then convert back for any output we receive. Fixes: 586ad210368b7 ("libnftables: Implement JSON parser") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: Fix gitignore of lib/ directoryPhil Sutter2019-05-081-1/+1
| | | | | | | | | Pattern is not a PCRE one but merely a shell glob. Hence 'lib.*' matches only 'lib.' prefix, not also 'lib'. Fixes: bf9653667a39e ("python: installation of binding via make install") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_json: Rewrite echo supportPhil Sutter2019-04-031-0/+3
| | | | | | | | | | | | | | | | | Instead of guessing which object to update with retrieved handle, introduce a list containing struct cmd <-> json_t associations. Upon batch commit, allocated cmd objects are assigned a unique netlink sequence number. Monitor events contain that number as well, so they may be associated to the cmd object which triggered them. Using json_cmd_assoc list the event may in turn be associated to the input's JSON object which should receive the handle value. This also fixes incorrect behaviour if JSON input contained "insert" commands. Fixes: bb32d8db9a125 ("JSON: Add support for echo option") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: Adjust Nftables class to output flags changesPhil Sutter2018-10-311-78/+142
| | | | | | | | | | | | | Introduce setter/getter methods for each introduced output flag. Ignore NFT_CTX_OUTPUT_NUMERIC_ALL for now since it's main purpose is for internal use. Adjust the script in tests/py accordingly: Due to the good defaults, only numeric proto output has to be selected - this is not a must, but allows for the test cases to remain unchanged. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: trivial: Fix typo in comment stringPhil Sutter2018-08-301-1/+1
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* python: set license and author in nftables.pyEric Leblond2018-06-201-0/+16
| | | | | | | | It will be distributed separately so this worth setting things correctly. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* python: installation of binding via make installEric Leblond2018-06-205-0/+61
| | | | | | | | | setup.py is used to build and install the python binding. Call to setup.py are done in Makefile to proceed to build and installation. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Simplify nft_run_cmd_from_buffer footprintPhil Sutter2018-06-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | With libnftables documentation being upstream and one confirmed external user (nftlb), time to break the API! First of all, the command buffer passed to nft_run_cmd_from_buffer may (and should) be const. One should consider it a bug if that function ever changed it's content. On the other hand, there is no point in passing the buffer's length as separate argument: NULL bytes are not expected to occur in the input, so it is safe to rely upon strlen(). Also, the actual parsers don't require a buffer length passed to them, either. The only use-case for it is when reallocating the buffer to append a final newline character, there strlen() is perfectly sufficient. Suggested-by: Harald Welte <laforge@gnumonks.org> Cc: Laura Garcia Liebana <nevola@gmail.com> Cc: Eric Leblond <eric@regit.org> Cc: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: Add JSON support to nftables ClassPhil Sutter2018-05-111-1/+44
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: Add getter/setter for echo output optionPhil Sutter2018-05-111-0/+25
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Use libnftables instead of calling nft binaryPhil Sutter2018-04-112-0/+225
This adds a simple nftables Python class in py/nftables.py which gives access to libnftables API via ctypes module. nft-test.py is extended to make use of the above class instead of calling nft binary. Since command line formatting had to be touched anyway, this patch also streamlines things a bit by introducing __str__ methods to classes Table and Chain and making extensive use of format strings instead of onerously adding all string parts together. Since the called commands don't see a shell anymore, all shell meta character escaping done in testcases is removed. The visible effects of this change are: * Four new warnings in ip/flowtable.t due to changing objref IDs (will be addressed later in a patch to libnftnl). * Reported command line in warning and error messages changed slightly for obvious reasons. * Reduction of a full test run's runtime by a factor of four. Status diff after running with 'time': < 83 test files, 77 files passed, 1724 unit tests, 0 error, 33 warning < 87.23user 696.13system 15:11.82elapsed 85%CPU (0avgtext+0avgdata 9604maxresident)k < 8inputs+36800outputs (0major+35171235minor)pagefaults 0swaps > 83 test files, 77 files passed, 1724 unit tests, 4 error, 33 warning > 6.80user 30.18system 3:45.86elapsed 16%CPU (0avgtext+0avgdata 14064maxresident)k > 0inputs+35808outputs (0major+2874minor)pagefaults 0swaps Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>