Ana Rey [Tue, 19 Nov 2013 16:56:18 +0000 (17:56 +0100)]
expr: log: fix missing \0 when sending log prefix to kernel
If I run my automatic unit test for libnftables, It shows:
"ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches"
a: test
b: test\ 6
^^
garbage
The problem was in nft_rule_expr_log_build function. With
the attached patch, we use mnl_attr_put_strz() instead of
mnl_attr_put_str() as in other functions in the library.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey reported a leak in the log expression. Fix it by using
the new .free interface added in (3cf788a expr: fix leak in target
and match expressions).
Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Release internal data area for match and target expressions.
==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1
==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==30104== by 0x400C2F: main (nft-expr_match-test.c:65)
Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Unify parse and output types that are redundant to all
existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT]
are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML].
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jan Engelhardt [Mon, 28 Oct 2013 12:27:18 +0000 (13:27 +0100)]
build: resolve build errors in dependent programs
The headers do not compile standalone which may cause compilation
problems to third party programs.
$ gcc -x c -Wall -c *.h
chain.h:62:35: error: unknown type name ‘size_t’
expr.h:40:39: error: unknown type name ‘size_t’
rule.h:60:34: error: unknown type name ‘size_t’
ruleset.h:20:1: error: unknown type name ‘bool’
ruleset.h:20:59: error: unknown type name ‘uint16_t’
ruleset.h:21:52: error: unknown type name ‘uint16_t’
ruleset.h:22:50: error: unknown type name ‘uint16_t’
ruleset.h:23:63: error: unknown type name ‘uint16_t’
ruleset.h:39:37: error: unknown type name ‘size_t’
ruleset.h:39:80: error: unknown type name ‘uint32_t’
ruleset.h:39:95: error: unknown type name ‘uint32_t’
set.h:40:33: error: unknown type name ‘size_t’
set.h:110:38: error: unknown type name ‘size_t’
table.h:50:35: error: unknown type name ‘size_t’
Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: Fix a build issue on header inclusion in internal.h
Fixes:
In file included from utils.c:11:0:
./internal.h:93:17: error: unknown type name 'FILE'
int nft_fprintf(FILE *fp, void *obj, uint32_t type, uint32_t flags, int
(*snprintf_cb)(char *buf, size_t bufsiz, void *obj, uint32_t type,
uint32_t flags));
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Tue, 29 Oct 2013 22:44:25 +0000 (23:44 +0100)]
src: add fprintf API functions
Now it's possible to print directly from libnftables to a file or
other stream. The caller must explicitly print the trailing '\n'
in this call.
The error reporting of fprintf (< 0) is respected. However, we have
already print some information in case that the default (plain text)
output is used, that output is mostly intended for debugging so it
should not be a problem.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Fri, 25 Oct 2013 16:55:31 +0000 (09:55 -0700)]
src: fix possible null pointer dereference in nft_*_attr_get_*
As reported by John Sager, nft_set_attr_get_u32 can cause a
segfault because nft_set_attr_get can return NULL. Check for
a non-NULL pointer before dereferencing.
This closes netfilter bugzilla #868.
[ I have mangled this patch to solve possible null pointer
dereference with get operations with rule objects --pablo ]
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Thu, 24 Oct 2013 15:00:58 +0000 (17:00 +0200)]
test: xml: fix malformed ruleset testfile
Give a new XML ruleset testfile. For some reason, the previous was truncated.
This passed silently as nft-parsing-test is not reporting some errors properly.
This new file provides:
* 2 tables
* 3 chains
* 2 sets, with and without maps
* 3 rules with mixed exprs
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Tue, 22 Oct 2013 08:48:22 +0000 (10:48 +0200)]
expr: limit: operational limit match
The nft limit match currently does not work at all. Below patches to
nftables, libnftables, and kernel address the issue. A few notes on
the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Remove all the spaces from the JSON output to reduce the size
of the output string, this also provides a consistent output
in table, chain, rule and set.
As Stephen Hemminger suggested, better to squash the output to
consume as less bytes as possible.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: replace size_t by uint32_t in set/get interfaces
This patch breaks the ABI to shrink the size parameter from 8
to 4 bytes in x86_64. The maximum length of netlink attributes
is 2 bytes, so 4 bytes as attribute payload length should be
enough.
After this patch, size_t is only used in the nft_*_snprintf
interfaces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch refactors nft_*_xml_parse to provide a new intermediate function
nft_mxml_parse_* which will allow us to navigate an entire XML tree
containing a ruleset without xml2text2xml conversions.
While at it, I added a helper to build the XML tree and validate the top node
name.
expr: log: use real length when fetching attributes
NFTA_LOG_SNAPLEN is u32 and NFTA_LOG_QTHRESHOLD is u16.
Without this, netlink messages from kernel fail mnl_validate step when
QTHRESH or SNAPLEN was set.
Also, nft_rule_expr_log_get must update data_length, else 'nft list' doesn't
show log arguments (prefix, group ..) because the netlink message
decoding uses nft_rule_expr_get_u16/32 etc. which validate the length, too.
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: json: refactor json parsing to allow tree based navigation
This patch refactors nft_*_json_parse to provide a new
intermediate function nft_jansson_parse_chain which will
allows us to navigate the entire json tree containing the
ruleset.
Signed-off-by: Álvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
json: fixed some leaks in the json parsing function
This patch fixes some leaks in the json parsing function. After this patch,
we use nft_jansson_free_root. This function uses json_decref and it
decrements the reference count and it releases the node if needed.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: xml: don't duplicate string in nft_table_xml_parse
With this patch, nft_table_xml_parse does not duplicate the string
anymore, which is what most callers seem to need. This fixes memleaks
in several places in the code. Thus, this patch also adapts the code
to duplicate it when needed.
Based on patch from Arturo Borrero.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==11917== 96 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11917== at 0x4C272B8: calloc (vg_replace_malloc.c:566)
==11917== by 0x4E3A46F: nft_rule_expr_alloc (expr.c:38)
==11917== by 0x4E3A331: nft_jansson_expr_parse (jansson.c:165)
==11917== by 0x4E36F66: nft_rule_json_parse (rule.c:542)
==11917== by 0x400EA4: main (nft-rule-json-add.c:68)
Reported-by: Álvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Before this patch, the test only verified that we could parse
the file. After this, it also compares what it has parsed with
the original file.
Basically, the idea is that:
file -> buffer -> object -> buffer'
read snprintf
So we also compare that buffer = buffer' which should be true
since our tests should be based on the output that the library
generates.
This is an example output for the OK and FAILED cases:
parsing and validating xmlfiles/25-rule-exthdr.xml: OK
validating xmlfiles/27-rule-limit.xml: FAILED
from file: it"><rate>123123</ra
from snprintf: it"><rate>321321</ra
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
These XML files are intented to be used for automated tests. Thus, it's
important to have exactly the same output that was generated by the library.
The beautified output does not match the real output that the library provides
and it just makes things harder for us to provide a more advanced automated
testing.
If you want to make any of those file human readable, please use:
xmllint --format file.xml
or open the xml file and any browser, eg. firefox.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Move nft_mxml_set_elem_parse to set_elem.c to improve readability, thus,
we don't need to jump from set_elem.c to mxml.c to see how the parsing
is done.
I have also refactored some common parsing code in the new helper
function nft_mxml_set_elem_parse, that avoids conversions from XML tree
to text and then again back to tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / libnftnl.git / log
