We print some attribute that maybe the user hasn't defined
for printing. We can't assume that the user want to print
some attribute that we have put mandatory in the rules.
Example:
If we have defined family, the output is like that:
The nft_mnl_batch_talk() is overly complicated for a simple example
that just adds one single rule. Simplify this to prepare the merge
of nft-rule-insert, which looks very similar.
This patch adds two functions that allows you to validate the size
of the attribute. This new functions provide a replacement for
nft_rule_attr_set and nft_rule_attr_get.
The data_len parameter was already passed to the {_set|_get} funcion
in expressions. For consistency, add nft_rule_expr_{set|get}_data
alias.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This fixes the following compilation warning when compiling with old
kernel headers.
CC expr/target.lo
expr/target.c: In function ‘nft_rule_expr_target_build’:
expr/target.c:127: warning: implicit declaration of function ‘__ALIGN_KERNEL’
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Tue, 21 Jan 2014 12:08:32 +0000 (13:08 +0100)]
include: add stdint.h to common.h
This fixes:
/usr/local/include/libnftnl/common.h:25:49: error: unknown type name ‘uint16_t’
/usr/local/include/libnftnl/common.h:25:63: error: unknown type name ‘uint16_t’
/usr/local/include/libnftnl/common.h:26:10: error: unknown type name ‘uint16_t’
/usr/local/include/libnftnl/common.h:26:25: error: unknown type name ‘uint32_t’
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Sat, 18 Jan 2014 16:56:45 +0000 (17:56 +0100)]
data_reg: fix verdict format approach
Patrick reports that the XML/JSON formats of the data_reg object
are not accuarate.
This patch updates these formats, so they are now as follow:
* <data_reg type=value> with raw data (this doesn't change).
* <data_reg type=verdict> with a concrete verdict (eg drop accept) and an
optional <chain>, with destination.
In XML:
<data_reg type="verdict">
<verdict>goto</verdict>
<chain>output</chain>
</data_reg>
The default output format is updated to reflect these changes (minor collateral
thing).
When parsing set_elems, to know if we need to add the NFT_SET_ELEM_ATTR_CHAIN
flag, a basic check for the chain not being NULL is done, instead of evaluating
if the result of the parsing was DATA_CHAIN. The DATA_CHAIN symbol is no longer
used in the data_reg XML/JSON parsing zone.
While at it, I updated the error reporting stuff regarding data_reg/verdict, in
order to leave a consistent state in the library.
A JSON testfile is updated as well.
Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Wed, 15 Jan 2014 18:18:46 +0000 (19:18 +0100)]
expr: ct: fix missing NFT_CT_L3PROTOCOL in ctkey2str_array
Due to missing NFT_CT_L3PROTOCOL key in ctkey2str_array, a segfault is
produced when the str2ctkey() loop reaches that position, since strcmp()
will try to compare a NULL value.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Wed, 15 Jan 2014 11:12:18 +0000 (12:12 +0100)]
tests: xml: delete comments
When building a XML tree, only one root node can be in place. This is
a "feature" added in libmxml 2.7:
<<<
mxmlLoad... did not error out on XML with multiple root nodes (Bug #403)
>>>
In libmxml 2.6 the second root node was ignored, not because it was a
comment but a bug. Our files had two root nodes, being comments or not.
libmxml accept comments, but inside the root node.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Kristian Evensen [Sat, 11 Jan 2014 13:23:35 +0000 (14:23 +0100)]
expr: ct: Add support for setting the mark
This patch adds userspace support for setting properties of tracked connections.
Currently, the connection mark is supported. This can be used to implemented the
same functionality as iptables -j CONNMARK --save-mark.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Kristian Evensen [Sat, 11 Jan 2014 13:03:17 +0000 (14:03 +0100)]
meta: Let user specify any combination of sreg/dreg
libnftables should not mask kernel errors. Let user specify any combination of
parameters and leave the error-checking to the kernel. The kernel will return
-EINVAL and users will know that they have to fix their code. This patch also a
removes a redundant variable that was passed to the snprintf-functions (flag).
A second iteration might be needed. I was not sure how to deal with
snprintf_default in the case of both sreg and dreg.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: fix compilation due to missing NFPROTO_INET definition
This adds a copy of the include/linux/netfilter.h kernel header
that defines NFPROTO_INET, so libnftables compiles with relatively
old kernel headers in the system.
chain.c: In function 'nft_hooknum2str':
chain.c:53:7: error: 'NFPROTO_INET' undeclared (first use in this function)
This required to reorder and remove unneeded headers in src/expr/data_reg.c
to avoid a compilation warning due to redefinition of __visible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Thu, 9 Jan 2014 11:19:06 +0000 (12:19 +0100)]
src: rework and generalize the build/parse system
The intention behind this patch is to prepare the introduction of
the new API that will allow us to parse files that contain the rule-sets
expressed in XML/JSON format. This adds the NFT_PARSE_BUFFER that
indicates that the input is provided in a buffer, which is what we
currently support.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: new error reporting approach for XML/JSON parsers
I have added a new structure for reporting some errors in parser
that we can't cover with errno.
In this patch, we have three errors that we can't cover with errno:
NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input
NFT_PARSE_EMISSINGNODE : Missing node in our input
NFT_PARSE_EBADTYPE : Wrong type value in a node
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Wed, 9 Oct 2013 10:18:12 +0000 (12:18 +0200)]
examples: nft-set-get: retrieve all sets via unspec
Other nftables objects are allowed to be dumped with NFPROTO_UNSPEC.
With sets is also possible since kernel patch c9c8e48 ("netfilter: nf_tables:
dump sets in all existing families").
This patch fixes how --without-{xml,json}-parsing (and subsequently
--with-{xml,json}-parsing=no) is handled. Prior to this,
--without-{xml,json}-parsing actually resulted in libnftables being
built with that parsing enabled.
Signed-off-by: Douglas Freed <dwfreed@mtu.edu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
examples: nft-rule-add: use existing batch infrastructure
This patch reworks the existing example to add the rule:
nft add rule ip filter input tcp dport 22 counter
It uses the existing nfnl batching approach using the generic mnl
netlink message batching infrastructure. It also removed the code
that uses xtables compat code.
Based on original patch by Arturo Borrero Gonzalez.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Thu, 28 Nov 2013 11:30:10 +0000 (12:30 +0100)]
tests: expr-target: fix deprecation warning
This fixes the following warning:
In file included from nft-expr_target-test.c:19:0: /usr/include/linux/netfilter_ipv4/ipt_LOG.h:4:2: warning: #warning "Please update iptables, this file will be removed soon!" [-Wcpp]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add new function nft_nlmsg_build_hdr which consolidates all existing
functions to build headers per object. They basically look the same.
This patch still provides aliases for consistency in the naming
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Wed, 20 Nov 2013 11:23:12 +0000 (12:23 +0100)]
tests: add unit tests for libnftables
These tests create an initial object 'a' whose attributes are
set to arbitrary values. Then, that object is converted to a
Netlink message which is parsed to obtain the object 'b'. If
things go well, the original object 'a' and the transformed
object 'b' should be equivalent. Thus, we make sure that object
transformations through the main library APIs are correct.
These tests have helped to catch the following bugs in this library:
(3cf788a72 expr: fix leak in target and match expressions)
(4182e574f expr: match: fix wrong flag setting in nft_rule_expr_match_parse)
(0bec6bc5e expr: log: release prefix)
(2b690deea expr: log: fix missing \0 when sending log prefix to kernel)
(e55c7afcf expr: target: fix wrong info length in nft_rule_expr_target_parse)
(8fc4d4bd2 expr: log: fix wrong attribute type in nft_rule_expr_log_parse)
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Tue, 19 Nov 2013 16:56:18 +0000 (17:56 +0100)]
expr: log: fix missing \0 when sending log prefix to kernel
If I run my automatic unit test for libnftables, It shows:
"ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches"
a: test
b: test\ 6
^^
garbage
The problem was in nft_rule_expr_log_build function. With
the attached patch, we use mnl_attr_put_strz() instead of
mnl_attr_put_str() as in other functions in the library.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey reported a leak in the log expression. Fix it by using
the new .free interface added in (3cf788a expr: fix leak in target
and match expressions).
Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Release internal data area for match and target expressions.
==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1
==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==30104== by 0x400C2F: main (nft-expr_match-test.c:65)
Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Unify parse and output types that are redundant to all
existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT]
are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML].
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jan Engelhardt [Mon, 28 Oct 2013 12:27:18 +0000 (13:27 +0100)]
build: resolve build errors in dependent programs
The headers do not compile standalone which may cause compilation
problems to third party programs.
$ gcc -x c -Wall -c *.h
chain.h:62:35: error: unknown type name ‘size_t’
expr.h:40:39: error: unknown type name ‘size_t’
rule.h:60:34: error: unknown type name ‘size_t’
ruleset.h:20:1: error: unknown type name ‘bool’
ruleset.h:20:59: error: unknown type name ‘uint16_t’
ruleset.h:21:52: error: unknown type name ‘uint16_t’
ruleset.h:22:50: error: unknown type name ‘uint16_t’
ruleset.h:23:63: error: unknown type name ‘uint16_t’
ruleset.h:39:37: error: unknown type name ‘size_t’
ruleset.h:39:80: error: unknown type name ‘uint32_t’
ruleset.h:39:95: error: unknown type name ‘uint32_t’
set.h:40:33: error: unknown type name ‘size_t’
set.h:110:38: error: unknown type name ‘size_t’
table.h:50:35: error: unknown type name ‘size_t’
Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: Fix a build issue on header inclusion in internal.h
Fixes:
In file included from utils.c:11:0:
./internal.h:93:17: error: unknown type name 'FILE'
int nft_fprintf(FILE *fp, void *obj, uint32_t type, uint32_t flags, int
(*snprintf_cb)(char *buf, size_t bufsiz, void *obj, uint32_t type,
uint32_t flags));
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Tue, 29 Oct 2013 22:44:25 +0000 (23:44 +0100)]
src: add fprintf API functions
Now it's possible to print directly from libnftables to a file or
other stream. The caller must explicitly print the trailing '\n'
in this call.
The error reporting of fprintf (< 0) is respected. However, we have
already print some information in case that the default (plain text)
output is used, that output is mostly intended for debugging so it
should not be a problem.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Fri, 25 Oct 2013 16:55:31 +0000 (09:55 -0700)]
src: fix possible null pointer dereference in nft_*_attr_get_*
As reported by John Sager, nft_set_attr_get_u32 can cause a
segfault because nft_set_attr_get can return NULL. Check for
a non-NULL pointer before dereferencing.
This closes netfilter bugzilla #868.
[ I have mangled this patch to solve possible null pointer
dereference with get operations with rule objects --pablo ]
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Thu, 24 Oct 2013 15:00:58 +0000 (17:00 +0200)]
test: xml: fix malformed ruleset testfile
Give a new XML ruleset testfile. For some reason, the previous was truncated.
This passed silently as nft-parsing-test is not reporting some errors properly.
This new file provides:
* 2 tables
* 3 chains
* 2 sets, with and without maps
* 3 rules with mixed exprs
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Tue, 22 Oct 2013 08:48:22 +0000 (10:48 +0200)]
expr: limit: operational limit match
The nft limit match currently does not work at all. Below patches to
nftables, libnftables, and kernel address the issue. A few notes on
the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / libnftnl.git / log
