src: utils: add verdict2str and use it

Add verdict2str() and str2verdict() helper functions and use in XML.

While at it, I've fixed a small style issue in the data_reg JSON output and
a bug in the data_reg XML parser: The parser walked the top level tree,
instead of single <data_reg> node. Introduced in (51370f0 src: add support
for XML parsing).

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index b290b96ff34ce165f88f91715343fc8b0260120b..85c441ed7fb05e0cd685fb0ab98a2b5990d7f51c 100644 (file)
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -31,8 +31,8 @@ static int nft_data_reg_verdict_xml_parse(union nft_data_reg *reg, char *xml)
 {
        mxml_node_t *tree = NULL;
        mxml_node_t *node = NULL;
-       char *endptr;
-       long int tmp;
+       int verdict;
+       const char *verdict_str;
 
        tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
        if (tree == NULL)
@@ -47,33 +47,30 @@ static int nft_data_reg_verdict_xml_parse(union nft_data_reg *reg, char *xml)
        }
 
        /* Get and validate <data_reg type="verdict" >*/
-       if (mxmlElementGetAttr(tree, "type") == NULL) {
+       if (mxmlElementGetAttr(node, "type") == NULL) {
                mxmlDelete(tree);
                return -1;
        }
 
-       if (strcmp(mxmlElementGetAttr(tree, "type"), "verdict") != 0) {
+       if (strcmp(mxmlElementGetAttr(node, "type"), "verdict") != 0) {
                mxmlDelete(tree);
                return -1;
        }
 
        /* Get and set <verdict> */
-       node = mxmlFindElement(tree, tree, "verdict", NULL, NULL,
-                              MXML_DESCEND_FIRST);
-       if (node == NULL) {
+       verdict_str = nft_mxml_str_parse(tree, "verdict", MXML_DESCEND);
+       if (verdict_str == NULL) {
                mxmlDelete(tree);
                return -1;
        }
 
-       errno = 0;
-       tmp = strtoll(node->child->value.opaque, &endptr, 10);
-       if (tmp > INT_MAX || tmp < INT_MIN || errno != 0
-                                               || strlen(endptr) > 0) {
+       verdict = nft_str2verdict(verdict_str);
+       if (verdict < 0) {
                mxmlDelete(tree);
                return -1;
        }
 
-       reg->verdict = tmp;
+       reg->verdict = (uint32_t)verdict;
 
        mxmlDelete(tree);
        return 0;
@@ -97,34 +94,27 @@ static int nft_data_reg_chain_xml_parse(union nft_data_reg *reg, char *xml)
        }
 
        /* Get and validate <data_reg type="chain" >*/
-       if (mxmlElementGetAttr(tree, "type") == NULL) {
+       if (mxmlElementGetAttr(node, "type") == NULL) {
                mxmlDelete(tree);
                return -1;
        }
 
-       if (strcmp(mxmlElementGetAttr(tree, "type"), "chain") != 0) {
+       if (strcmp(mxmlElementGetAttr(node, "type"), "chain") != 0) {
                mxmlDelete(tree);
                return -1;
        }
 
        /* Get and set <chain> */
-       node = mxmlFindElement(tree, tree, "chain", NULL, NULL, MXML_DESCEND);
-       if (node == NULL) {
-               mxmlDelete(tree);
-               return -1;
-       }
+       if (reg->chain)
+               free(reg->chain);
 
-       /* no max len value to validate? */
-       if (strlen(node->child->value.opaque) < 1) {
+       reg->chain = (char *)nft_mxml_str_parse(tree, "chain",
+                                               MXML_DESCEND);
+       if (reg->chain == NULL) {
                mxmlDelete(tree);
                return -1;
        }
 
-       if (reg->chain)
-               free(reg->chain);
-
-       reg->chain = strdup(node->child->value.opaque);
-
        mxmlDelete(tree);
        return 0;
 }
@@ -346,13 +336,15 @@ int nft_data_reg_snprintf(char *buf, size_t size, union nft_data_reg *reg,
                case NFT_RULE_O_XML:
                        return snprintf(buf, size,
                                        "<data_reg type=\"verdict\">"
-                                               "<verdict>%d</verdict>"
-                                       "</data_reg>", reg->verdict);
+                                               "<verdict>%s</verdict>"
+                                       "</data_reg>",
+                                       nft_verdict2str(reg->verdict));
                case NFT_RULE_O_JSON:
                        return snprintf(buf, size,
-                                       "\"data_reg\": { \"type\" : \"verdict\", "
-                                               "\"verdict\" : %d"
-                                       "}", reg->verdict);
+                                       "\"data_reg\": {"
+                                               "\"type\" : \"verdict\", "
+                                               "\"verdict\" : \"%s\""
+                                       "}", nft_verdict2str(reg->verdict));
                default:
                        break;
                }

diff --git a/src/internal.h b/src/internal.h
index fc78233054c03b44832c903094f4ac2a89fcbae9..b846814c302364967cd66a86a469821c1e2225fa 100644 (file)
--- a/src/internal.h
+++ b/src/internal.h
@@ -49,6 +49,8 @@ const char *nft_mxml_str_parse(mxml_node_t *tree, const char *node_name, uint32_
 const char *nft_family2str(uint32_t family);
 int nft_str2family(const char *family);
 int nft_strtoi(const char *string, int base, void *number, enum nft_type type);
+const char *nft_verdict2str(uint32_t verdict);
+int nft_str2verdict(const char *verdict);
 
 struct expr_ops;
 

diff --git a/src/utils.c b/src/utils.c
index 4a0bb9cb17b251b551ee5ba326b0d4172fe95ce4..7b5b9748a29b9035024a3510696b2102ba480e28 100644 (file)
--- a/src/utils.c
+++ b/src/utils.c
@@ -17,6 +17,9 @@
 #include <errno.h>
 #include <inttypes.h>
 
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+
 const char *nft_family2str(uint32_t family)
 {
        switch (family) {
@@ -117,3 +120,37 @@ int nft_strtoi(const char *string, int base, void *out, enum nft_type type)
 
        return 0;
 }
+
+const char *nft_verdict2str(uint32_t verdict)
+{
+       switch (verdict) {
+       case NF_ACCEPT:
+               return "accept";
+       case NF_DROP:
+               return "drop";
+       case NFT_RETURN:
+               return "return";
+       case NFT_JUMP:
+               return "jump";
+       case NFT_GOTO:
+               return "goto";
+       default:
+               return "unknown";
+       }
+}
+
+int nft_str2verdict(const char *verdict)
+{
+       if (strcmp(verdict, "accept") == 0)
+               return NF_ACCEPT;
+       else if (strcmp(verdict, "drop") == 0)
+               return NF_DROP;
+       else if (strcmp(verdict, "return") == 0)
+               return NFT_RETURN;
+       else if (strcmp(verdict, "jump") == 0)
+               return NFT_JUMP;
+       else if (strcmp(verdict, "goto") == 0)
+               return NFT_GOTO;
+
+       return -1;
+}