summaryrefslogtreecommitdiffstats
path: root/src/main.c
Commit message (Collapse)AuthorAgeFilesLines
* main: fix nft --help output fallout from 719e4427Štěpán Němec2021-02-221-3/+4
| | | | | | | | | Long options were missing the double dash. Fixes: 719e44277f8e ("main: use one data-structure to initialize getopt_long(3) arguments and help.") Cc: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: fix typo in cli definitionPablo Neira Ayuso2021-01-061-1/+1
| | | | | | | | 9420423900a2 ("cli: add libedit support") updated HAVE_LIBREADLINE to HAVE_READLINE by mistake. Fixes: 9420423900a2 ("cli: add libedit support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: add libedit supportPablo Neira Ayuso2021-01-051-1/+3
| | | | | | | | Extend cli to support for libedit readline shim code: ./configure --with-cli=editline Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: rearrange help output to group related options togetherArturo Borrero Gonzalez2020-07-291-53/+83
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It has been reported that nft options are a bit chaotic. With a growing list of options for the nft CLI, we can do better when presenting them to the user who requests help. This patch introduces a textual output grouping for options, in 4 groups: * Options (general) -- common Unix utility options * Options (operative) -- the options that modify the operative behaviour of nft * Options (translation) -- output text modifiers for data translation * Options (parsing) -- output text modifiers for parsing and other operations There is no behavior change in this patch, is mostly a cosmetic change in the hope that users will find the nft tool a bit less confusing to use. After this patch, the help output is: === 8< === % nft --help Usage: nft [ options ] [ cmds... ] Options (general): -h, help Show this help -v, version Show version information -V Show extended version information Options (ruleset input handling): -f, file <filename> Read input from <filename> -i, interactive Read input from interactive CLI -I, includepath <directory> Add <directory> to the paths searched for include files. Defaul[..] -c, check Check commands validity without actually applying the changes. Options (ruleset list formatting): -a, handle Output rule handle. -s, stateless Omit stateful information of ruleset. -t, terse Omit contents of sets. -S, service Translate ports to service names as described in /etc/services. -N, reversedns Translate IP addresses to names. -u, guid Print UID/GID as defined in /etc/passwd and /etc/group. -n, numeric Print fully numerical output. -y, numeric-priority Print chain priority numerically. -p, numeric-protocol Print layer 4 protocols numerically. -T, numeric-time Print time values numerically. Options (command output format): -e, echo Echo what has been added, inserted or replaced. -j, json Format output in JSON -d, debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, p[..] === 8< === While at it, refresh the man page to better reflex this new grouping, and add some missing options. Joint work with Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: fix build with gcc <= 4.8Fabrice Fontaine2020-06-081-1/+3
| | | | | | | | | | | | | | | Since commit 719e44277f8e89323a87219b4d4bc7abac05b051, build with gcc <= 4.8 fails on: main.c:186:2: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = IDX_INTERACTIVE + 1; i < NR_NFT_OPTIONS; ++i) ^ Fixes: - http://autobuild.buildroot.org/results/cf2359b8311fe91f9335c91f2bb4a730c9f4c9dc Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: fix get_optstring truncating outputMichael Braun2020-05-021-1/+3
| | | | | | | | | | | | Without this patch, get_optstring returns optstring = +hvVcf:insNSI:d:aejuy. After this patch, get_optstring returns optstring = +hvVcf:insNSI:d:aejuypTt This is due to optstring containing up to two chars per option, thus it was too short. Fixes: 906facf31d1d ("main: fix ASAN -fsanitize=address error in get_optstring()") Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: fix ASAN -fsanitize=address error in get_optstring()Michael Braun2020-05-011-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft list table bridge t ================================================================= ==28552==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5579c662e816 at pc 0x7fc2803246aa bp 0x7fff495c86f0 sp 0x7fff495c7ea0 WRITE of size 2 at 0x5579c662e816 thread T0 #0 0x7fc2803246a9 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) #1 0x7fc2803249f6 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6) #2 0x5579c661e7d2 in get_optstring nftables/src/main.c:128 #3 0x5579c66202af in main nftables/src/main.c:315 #4 0x7fc27ea7b09a in __libc_start_main ../csu/libc-start.c:308 #5 0x5579c661e439 in _start (nftables/src/.libs/nft+0x9439) 0x5579c662e816 is located 0 bytes to the right of global variable 'optstring' defined in 'main.c:121:14' (0x5579c662e800) of size 22 0x5579c662e816 is located 42 bytes to the left of global variable 'options' defined in 'main.c:137:23' (0x5579c662e840) of size 672 SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in vsprintf Shadow bytes around the buggy address: 0x0aafb8cbdcb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdcc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdcd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdce0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdcf0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 =>0x0aafb8cbdd00: 00 00[06]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0aafb8cbdd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28552==ABORTING Fixes: 719e44277f8e ("main: use one data-structure to initialize getopt_long(3) arguments and help.") Signed-of-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: swap json and gmp fields in nft -VPablo Neira Ayuso2020-04-011-1/+1
| | | | | | | | | | | | | | | | | | | | | # ./configure --with-xtable --with-json ... # make ... # make install ... # nft -V nftables v0.9.3 (Topsy) cli: readline json: no minigmp: yes libxtables: yes json: and minigmp: are accidentally swapped. I introduced this bug while mangling Jeremy's original patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: use one data-structure to initialize getopt_long(3) arguments and help.Jeremy Sowden2020-03-101-113/+138
| | | | | | | | By generating the getopt_long(3) optstring and options, and the help from one source, we reduce the chance that they may get out of sync. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: interpolate default include path into help format-string.Jeremy Sowden2020-03-101-2/+2
| | | | | | | | The default include path is a string literal defined as a preprocessor macro by autoconf. We can just interpolate it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: include '--reversedns' in help.Jeremy Sowden2020-03-101-1/+1
| | | | | | | The long option for '-N' was omitted from the help. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: include '-d' in help.Jeremy Sowden2020-03-101-20/+20
| | | | | | | The short option for '--debug' was omitted from the help. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: remove duplicates from option string.Jeremy Sowden2020-03-051-1/+1
| | | | | | | | The string of options passed to getopt_long(3) contains duplicates. Update it to match the opt_vals enum which immediately precedes it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: add more information to `nft -V`.Jeremy Sowden2020-03-051-1/+45
| | | | | | | | | | | | | | | | | In addition to the package-version and release-name, output the CLI implementation (if any) and whether mini-gmp was used, e.g.: $ ./src/nft -V nftables v0.9.3 (Topsy) cli: linenoise json: yes minigmp: no libxtables: yes [pablo@netfilter.org: add json and libxtables, use -V ] Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: restore --debugPablo Neira Ayuso2020-01-091-2/+4
| | | | | | | Broken since options are mandatory before commands. Fixes: fb9cea50e8b3 ("main: enforce options before commands") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: enforce options before commandsPablo Neira Ayuso2019-12-181-1/+45
| | | | | | | | | | | | | | | | | This patch turns on POSIXLY_CORRECT on the getopt parser to enforce options before commands. Users get a hint in such a case: # nft list ruleset -a Error: syntax error, options must be specified before commands nft list ruleset -a ^ ~~ This patch recovers 9fc71bc6b602 ("main: Fix for misleading error with negative chain priority"). Tests have been updated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: remove duplicate output flag assignment.Jeremy Sowden2019-10-231-1/+0
| | | | | | | | | `NFT_CTX_OUTPUT_NUMERIC_TIME` is implicit in `NFT_CTX_OUTPUT_NUMERIC_ALL`: there are is no need explicitly to OR it into output_flags when `--numeric` is passed. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: add missing `OPT_NUMERIC_PROTO` long option.Jeremy Sowden2019-10-231-0/+4
| | | | | | | | The `options` array is missing an entry for `OPT_NUMERIC_PROTO`. Add a new option, `--numeric-protocol`, consistent with the documentation. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "main: Fix for misleading error with negative chain priority"Phil Sutter2019-10-231-1/+1
| | | | | | | | | | | This reverts commit 9fc71bc6b602c8706d1214e0100bcd7638c257e3. Given that this change breaks typical commands like 'nft list ruleset -a' while on the other hand escaping of semicolons and (depending on shell) curly braces is still required, decision was made to not go with this solution. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: add --terse to suppress output of set elements.Jeremy Sowden2019-10-221-1/+10
| | | | | | | | | | | | Listing an entire ruleset or a table with `nft list` prints the elements of all set definitions within the ruleset or table. Seeing the full set contents is not often necessary especially when requesting to see someone's ruleset for help and support purposes. Add a new option '-t, --terse' options to suppress the output of set contents. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use `-T` as the short option for `--numeric-time`.Jeremy Sowden2019-10-221-3/+3
| | | | | | | | | A new `--terse` option will be introduced in a later patch. Change the short option used for `--numeric-time` from `-t` to `-T` in order to leave `-t` free. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: Fix for misleading error with negative chain priorityPhil Sutter2019-10-211-1/+1
| | | | | | | | | | | | | | | | | getopt_long() would try to parse the negative priority as an option and return -1 as it is not known: | # nft add chain x y { type filter hook input priority -30\; } | nft: invalid option -- '3' Fix this by prefixing optstring with a plus character. This instructs getopt_long() to not collate arguments but just stop after the first non-option, leaving the rest for manual handling. In fact, this is just what nft desires: mixing options with nft syntax leads to confusive command lines anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Introduce new conditions 'time', 'day' and 'hour'Ander Juaristi2019-09-061-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp), an hour in the day (which is converted to the number of seconds since midnight) and a day of week. When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp, we need to substract it the GMT difference in seconds, that is, the value of the 'tm_gmtoff' field in the tm structure. This is because the kernel doesn't know about time zones. And hence the kernel manages different timestamps than those that are advertised in userspace when running, for instance, date +%s. The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight as well. The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC) is negative. We also introduce a new command line option (-t, --seconds) to show the actual timestamps when printing the values, rather than the ISO dates, or the hour. Some usage examples: time < "2019-06-06 17:00" drop; time < "2019-06-06 17:20:20" drop; time < 12341234 drop; day "Saturday" drop; day 6 drop; hour >= 17:00 drop; hour >= "17:00:01" drop; hour >= 63000 drop; We need to convert an ISO date to a timestamp without taking into account the time zone offset, since comparison will be done in kernel space and there is no time zone information there. Overwriting TZ is portable, but will cause problems when parsing a ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must not do time zone conversion, but that will be automatically done if TZ has been overwritten to UTC. Hence, we use timegm() to parse the 'time' type, even though it's not portable. Overwriting TZ seems to be a much worse solution. Finally, be aware that timestamps are converted to nanoseconds when transferring to the kernel (as comparison is done with nanosecond precision), and back to seconds when retrieving them for printing. We swap left and right values in a range to properly handle cross-day hour ranges (e.g. 23:15-03:22). Signed-off-by: Ander Juaristi <a@juaristi.eus> Reviewed-by: Florian Westphal <fw@strlen.de>
* main: replace NFT_EXIT_NOMEM by EXIT_FAILUREPablo Neira Ayuso2019-07-051-2/+1
| | | | | | | The main.c file always uses either EXIT_FAILURE or EXIT_SUCCESS, replace this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use malloc() and free() from cli and mainPablo Neira Ayuso2019-07-051-1/+1
| | | | | | | | | xmalloc() and xfree() are internal symbols of the library, do not use them. Fixes: 16543a0136c0 ("libnftables: export public symbols only") Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: don't use xzalloc()Arturo Borrero Gonzalez2019-07-011-1/+7
| | | | | | | | | | | | In the current setup, nft (the frontend object) is using the xzalloc() function from libnftables, which does not makes sense, as this is typically an internal helper function. In order to don't use this public libnftables symbol (a later patch just removes it), let's use calloc() directly in the nft frontend. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: Bail if non-available JSON was requestedPhil Sutter2019-06-251-0/+3
| | | | | | | | | | If user passes '-j' flag, falling back to standard syntax output probably causes more harm than good so instead print an error message and exit(1). Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add -p to print layer 4 protocol numericallyPablo Neira Ayuso2018-10-301-1/+6
| | | | | | | | We keep printing layer 4 protocols as literals since we do not use /etc/protocols. Add -p option to print layer 4 protocols numerically. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of nft_ctx_output_{get,set}_numeric()Pablo Neira Ayuso2018-10-301-12/+2
| | | | | | | | | | | | | | | | | | | | | | | This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last client of the numeric level approach. This patch updates `-n' option semantics to display all output numerically. Note that monitor code was still using the -n option to skip printing the process name, this patch updates that path too to print it inconditionally to simplify things. Given the numeric levels have no more clients after this patch, remove that code. Update several tests/shell not to use -nn. This patch adds NFT_CTX_OUTPUT_NUMERIC_ALL which enables all flags to provide a fully numerical output. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add -y to priority base chain nummericallyPablo Neira Ayuso2018-10-291-2/+10
| | | | | | | | By default base chains are printed using default hook priority definitions. Add -y option to print them as numbers. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: default to numeric UID and GID listingPablo Neira Ayuso2018-10-291-1/+10
| | | | | | | | | | | | | Like iptables-save, print UID and GID as numeric values by default. Add a new option `-u' to print the UID and GID names as defined by /etc/passwd and /etc/group. Note that -n is ignored after this patch, since default are numeric printing for UID and GID. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_ctx_output_{get,set}_echo() to nft_ctx_output_{get,set}_flagsPablo Neira Ayuso2018-10-291-1/+1
| | | | | | | | Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to the kernel. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_ctx_output_{get,set}_json() to nft_ctx_output_{get,set}_flagsPablo Neira Ayuso2018-10-291-1/+3
| | | | | | | Add NFT_CTX_OUTPUT_JSON flag and display output in json format. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_ctx_output_{get,set}_handle() to nft_ctx_output_{get,set}_flagsPablo Neira Ayuso2018-10-291-1/+1
| | | | | | | | Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify objects from new output flags interface. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_ctx_output_{get,set}_stateless() to ↵Pablo Neira Ayuso2018-10-291-1/+1
| | | | | | | | | | | | nft_ctx_output_{get,flags}_flags Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new output flags interface. This patch adds nft_output_save_flags() and nft_output_restore_flags() to temporarily disable stateful printing Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Revert --literal, add -S/--servicePablo Neira Ayuso2018-10-291-20/+11
| | | | | | | | | | | | | | | | | | | | | | This is a partial revert of b0f6a45b25dd1 ("src: add --literal option") which was added during the development cycle before 0.9.1 is released. After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that allows to print priority, uid, gid and protocols as numerics, I decided to revisit this to provide individual options to turn on literal printing. What I'm proposing is to provide a good default for everyone, and provide options to turn on literal/numeric printing. This patch adds nft_ctx_output_{set,get}_flags() and define two flags to enable reverse DNS lookups and to print ports as service names. This patch introduces -S/--services, to print service names as per /etc/services. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --literal optionPablo Neira Ayuso2018-07-071-2/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Simplify nft_run_cmd_from_buffer footprintPhil Sutter2018-06-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | With libnftables documentation being upstream and one confirmed external user (nftlb), time to break the API! First of all, the command buffer passed to nft_run_cmd_from_buffer may (and should) be const. One should consider it a bug if that function ever changed it's content. On the other hand, there is no point in passing the buffer's length as separate argument: NULL bytes are not expected to occur in the input, so it is safe to rely upon strlen(). Also, the actual parsers don't require a buffer length passed to them, either. The only use-case for it is when reallocating the buffer to append a final newline character, there strlen() is perfectly sufficient. Suggested-by: Harald Welte <laforge@gnumonks.org> Cc: Laura Garcia Liebana <nevola@gmail.com> Cc: Eric Leblond <eric@regit.org> Cc: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Implement JSON output supportPhil Sutter2018-05-111-1/+10
| | | | | | | | | | | | Although technically there already is support for JSON output via 'nft export json' command, it is hardly useable since it exports all the gory details of nftables VM. Also, libnftables has no control over what is exported since the content comes directly from libnftnl. Instead, implement JSON format support for regular 'nft list' commands. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: fix header exportArturo Borrero Gonzalez2018-05-021-1/+1
| | | | | | | | | | | Instruct Make to actually install the header to the system, otherwise users won't see the header in their system after running 'make install'. Also, export main libnftables header with a proper name, since we have another private header called 'nftables.h' (i.e, let's be concrete with the naming). Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* libnftables: Fix for input without trailing newlinePhil Sutter2018-04-111-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Input parser implementation requires a newline at end of input, otherwise the last pattern may not be recognized correctly. If input comes from a file, the culprit was YY_INPUT macro not expecting the last line not ending with a newline, so the last word wasn't accepted. This is easily fixed by checking for feof(yyin) in there. A simple test case for that is: | echo -en "table ip t {\nchain c {\n}\n}" >/tmp/foo | nft -f /tmp/foo Input from a string buffer is a bit more tricky: The culprit here is that detection of classid pattern is done by checking the character following it which makes it impossible to sit right at end of input and I haven't found an alternative to that. After dropping the manual newline appending when combining argv into a single buffer in main(), a rule like this won't be recognized anymore: | nft add rule ip t c meta priority feed:babe Since a direct call to run_cmd_from_buffer() via libnftables bypasses the sanitizing done in main() entirely, it has to happen in libnftables instead which means creating a newline-terminated duplicate of the input buffer. Note that main() created a buffer one byte longer than needed since it accounts for whitespace at end of each argv but doesn't add it to the buffer for the last one, so buffer length is reduced by two bytes instead of just one although only one less character is printed into it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Ensure output_fp is never NULLPhil Sutter2017-11-221-1/+0
| | | | | | | | | | | | | | Initialize output_fp to 'stdout' upon context creation and check output stream validity in nft_ctx_set_output(). This allows to drop checks in nft_{gmp_,}print() and do_command_export(). While doing so for the latter, simplify it a bit by using nft_print() which takes care of flushing the output stream. If applications desire to drop all output, they are supposed to open /dev/null and assign that. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Unexport enum nftables_exit_codesPhil Sutter2017-11-161-11/+11
| | | | | | | | | | | | | | | | Apart from SUCCESS/FAILURE, these codes were not used by library functions simply because NOMEM and NONL conditions lead to calling exit() instead of propagating the error condition back up the call stack. Instead, make nft_run_cmd_from_*() return either 0 or -1 on error. Usually errno will then contain more details about what happened and/or there are messages in erec. Calls to exit()/return in main() are adjusted to stay compatible. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_ prefix to everything exposed through include/nftables/nftables.hPablo Neira Ayuso2017-10-241-13/+13
| | | | | | | | Prepend nft_ prefix before these are exposed, reduce chances we hit symbol namespace pollution problems when mixing libnftables with other existing libraries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Introduce getters and setters for everythingPhil Sutter2017-10-241-13/+17
| | | | | | | | | | | | | | | | | | | | | | | | | This introduces getter/setter pairs for all parts in struct nft_ctx (and contained structs) which should be configurable. Most of them are simple ones, just allowing to get/set a given field: * nft_ctx_{get,set}_dry_run() -> ctx->check * nft_ctx_output_{get,set}_numeric() -> ctx->output.numeric * nft_ctx_output_{get,set}_stateless() -> ctx->output.stateless * nft_ctx_output_{get,set}_ip2name() -> ctx->output.ip2name * nft_ctx_output_{get,set}_debug() -> ctx->debug_mask * nft_ctx_output_{get,set}_handle() -> ctx->output.handle * nft_ctx_output_{get,set}_echo() -> ctx->output.echo A more complicated case is include paths handling: In order to keep the API simple, remove INCLUDE_PATHS_MAX restraint and dynamically allocate nft_ctx field include_paths instead. So there is: * nft_ctx_add_include_path() -> add an include path to the list * nft_ctx_clear_include_paths() -> flush the list of include paths Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: Use nft_run_cmd_from_buffer()Phil Sutter2017-10-241-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make CLI code adhere to intended libnftables API by not open coding what nft_run_cmd_from_buffer() does. This way, nft_run() has no users outside of src/libnftables.c anymore and therefore can become static. Since nft_run_cmd_from_buffer() takes care of scanner initialization and libmnl socket passed to cli_init() is present as nft_ctx field as well, signature of cli_init() can be reduced to just take nft_ctx pointer as single argument. Note that this change introduces two (possibly unwanted) side-effects: * Input descriptor passed to scanner_push_buffer() is changed from the CLI-specific one to the one used by nft_run_cmd_from_buffer(). In practice though, this doesn't make a difference: input descriptor types INDESC_CLI and INDESC_BUFFER are treated equally by erec_print(). Also, scanner_push_buffer() NULLs input descriptor name, so that is not used at all in latter code. * Error messages are printed to stderr instead of cli_nft->output. This could be fixed by introducing an 'error_output' field in nft_ctx for nft_run_cmd_from_buffer() to use when printing error messages. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Move library stuff out of main.cPhil Sutter2017-10-241-251/+1
| | | | | | | | This creates src/libnftables.c and include/nftables/nftables.h which will become the central elements of libnftables. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: Fix for wrong argument passed to cache_release in nft_ctx_freePhil Sutter2017-10-201-2/+2
| | | | | | | | | nft_ctx_free() should not refer to the global 'nft' variable, this will break as soon as the function is moved away from main.c. In order to use the cache reference from passed argument, the latter must not be const. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Fix debug outputPhil Sutter2017-10-061-2/+8
| | | | | | | | | | | | | | | | | | | When introducing output_fp, debug output in src/evaluate.c was not adjusted and therefore broke. This patch restores eval debug output by applying the following changes: - Change erec_print() and erec_print_list() to take a struct output_ctx pointer as first argument and use output_fp field as destination to print to. - Drop octx_debug_dummy variable and instead use octx pointer from struct eval_ctx for debug output. - Add missing calls to erec_destroy() in eval debug output which should eliminate another mem leak. Fixes: 2535ba7006f22 ("src: get rid of printf") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: Drop stdout hack to expose nft_print() implementation issuesPhil Sutter2017-09-291-3/+1
| | | | | | | | | This was helpful when testing nft_print() implementation, but breaks 'nft --help' output. Also, with this in place typical printf-debugging would have to use stderr at all times which is confusing at least. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>