From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: Netfilter Development Mailing list <netfilter-devel@vger.kernel.org>
Subject: Re: [libnftables PATCH] test: add testbench for XML
Date: Sat, 22 Jun 2013 14:25:55 +0200 [thread overview]
Message-ID: <20130622122555.GA3597@localhost> (raw)
In-Reply-To: <CAOkSjBiaN=GR7emE1W5-GjB3yDQfDNKtbqzj_eT+gv0sJZgkLA@mail.gmail.com>
Hi Arturo,
On Sat, Jun 22, 2013 at 12:44:09AM +0200, Arturo Borrero Gonzalez wrote:
> Hi Pablo,
>
> I already have a patch series to address yours requests.
> But, please, I need some more details in the next issues:
>
> 2013/6/20 Pablo Neira Ayuso <pablo@netfilter.org>:
> >> diff --git a/test/xmlfiles/rule_exthdr.xml b/test/xmlfiles/rule_exthdr.xml
> >> new file mode 100644
> >> index 0000000..0abeb3c
> >> --- /dev/null
> >> +++ b/test/xmlfiles/rule_exthdr.xml
> >> @@ -0,0 +1,12 @@
> >> +<rule family="2" table="filter" chain="INPUT" handle="100" version="0">
> >> + <rule_flags>0</rule_flags>
> >> + <flags>127</flags>
> >> + <compat_flags>0</compat_flags>
> >> + <compat_proto>0</compat_proto>
> >> + <expr type="exthdr">
> >> + <dreg>123</dreg>
> >
> > fix.
> >
> >> + <type>15</type>
> >
> > Possibilities are defined by: nft_exthdr_attributes
>
> I did not understand this.
> In include/uapi/linux/netfilter/nf_tables.h I have:
>
> enum nft_exthdr_attributes {
> NFTA_EXTHDR_UNSPEC,
> NFTA_EXTHDR_DREG,
> NFTA_EXTHDR_TYPE,
> NFTA_EXTHDR_OFFSET,
> NFTA_EXTHDR_LEN,
> __NFTA_EXTHDR_MAX
> };
>
> What should I do with this?
Bad pointer, sorry. Possible types for exthdr are defined by certain
IPPROTO_*, in nft:
static const struct exthdr_desc *exthdr_protocols[IPPROTO_MAX] = {
[IPPROTO_HOPOPTS] = &exthdr_hbh,
[IPPROTO_ROUTING] = &exthdr_rt,
[IPPROTO_FRAGMENT] = &exthdr_frag,
[IPPROTO_DSTOPTS] = &exthdr_dst,
[IPPROTO_MH] = &exthdr_mh,
};
To simplify, you can try to generate a rule with nft that uses exthdr
and dump it via libnftables, so you don't need to make up the
testbench. Send a private email if you have any trouble with this.
> >> diff --git a/test/xmlfiles/rule_immediate.xml b/test/xmlfiles/rule_immediate.xml
> >> new file mode 100644
> >> index 0000000..a566ca5
> >> --- /dev/null
> >> +++ b/test/xmlfiles/rule_immediate.xml
> >> @@ -0,0 +1,31 @@
> >> +<rule family="2" table="filter" chain="INPUT" handle="100" version="0">
> >> + <rule_flags>0</rule_flags>
> >> + <flags>127</flags>
> >> + <compat_flags>0</compat_flags>
> >> + <compat_proto>0</compat_proto>
> >> + <expr type="immediate">
> >> + <dreg>1</dreg>
> >> + <immdata>
> >> + <data_reg type="value">
> >> + <len>1</len>
> >> + <data0>0xaabbccdd</data0>
> >
> > Lenghs says 1 byte, but I can see way more stuff there.
>
> mmmm,
>
> the XML node 'len' means how many '<data>' nodes we have.
>
> Then, the actual length of the data is somehow hard-coded in the lib
> and is calculated this way:
> data_reg.len = xml_node_len_value * sizeof(data_reg.val[0])
That data_reg.len should be the number of bytes, not the number of
registers in use. You have to fix that.
> Maybe is not fully implemented yet, but I already have an incoming
> patch to address this.
>
> >> diff --git a/test/xmlfiles/rule_log.xml b/test/xmlfiles/rule_log.xml
> >> new file mode 100644
> >> index 0000000..5471fee
> >> --- /dev/null
> >> +++ b/test/xmlfiles/rule_log.xml
> >> @@ -0,0 +1,12 @@
> >> +<rule family="2" table="filter" chain="INPUT" handle="100" version="0">
> >> + <rule_flags>0</rule_flags>
> >> + <flags>127</flags>
> >> + <compat_flags>0</compat_flags>
> >> + <compat_proto>0</compat_proto>
> >> + <expr type="log">
> >> + <group>123123121</group>
> >
> > possible groups are 0-65535.
>
> Maybe I should also change the group data type to uint16_t.
We have to fix that in kernel code as well. I'll take care of it, just
use a 2^16 value in your testbench files.
> >> diff --git a/test/xmlfiles/rule_nat.xml b/test/xmlfiles/rule_nat.xml
> >> new file mode 100644
> >> index 0000000..868be50
> >> --- /dev/null
> >> +++ b/test/xmlfiles/rule_nat.xml
> >> @@ -0,0 +1,22 @@
> >> +<rule family="2" table="filter" chain="INPUT" handle="100" version="0">
> >> + <rule_flags>0</rule_flags>
> >> + <flags>127</flags>
> >> + <compat_flags>0</compat_flags>
> >> + <compat_proto>0</compat_proto>
> >> + <expr type="nat">
> >> + <sreg_addr_min>1</sreg_addr_min>
> >> + <sreg_addr_max>1</sreg_addr_max>
> >
> > These above are IPv4 / IPv6 addresses. Should be printable ini
> > human readable format, you probably use inet_ntop for output and
> > inet_pton for input.
> >
> >> + <sreg_proto_min>1</sreg_proto_min>
> >> + <sreg_proto_max>1</sreg_proto_max>
> >
> > max here is 2^16 as they are port numbers.
> >
> >> + <family>AF_INET6</family>
> >
> > would be good to replace this by ip6.
> >
> >> + <type>NFT_NAT_DNAT</type>
> >
> > and this by dnat.
> >
> >> + </expr>
> >> + <expr type="nat">
> >
> > The ipv4 part is asking for a new file, add rule_nat-ipv4.xml and
> > rule_nat-ipv6.xml
> >
>
> I will do it. But I think that from the parsing point of view, is the
> same having two nat expr in one <rule> file.
Yes, the parser will take it. But from the semantic point of view it
does not make sense.
> >> diff --git a/test/xmlfiles/table2.xml b/test/xmlfiles/table2.xml
> >> new file mode 100644
> >> index 0000000..de8e570
> >> --- /dev/null
> >> +++ b/test/xmlfiles/table2.xml
> >> @@ -0,0 +1,6 @@
> >> +<table name="nat" version="0">
> >> + <properties>
> >> + <family>10</family>
> >> + <table_flags>123</table_flags>
> >
> > The only table flag is defined by enum nft_table_flags.
> >
>
> What if we have some kind of general validation functions?
>
> - The xml_parse() will just translate the XML to an object, with no
> additional validations.
> - The validate() will take care of values being 'real'.
>
> Example:
>
> int nft_table_validate(struct nft_table t)
> {
> /* validate family or return -1 */
> /* validate table_flags or return -1*/
> /* validate...maybe name length or return -1*/
> }
> EXPORT_SYMBOL(nft_table_validate);
>
> I think this may be useful both for userspace programs (who used
> _set() and _unset() funcs) and the JSON stuff.
> And it will not require so many lines of code.
> At the end, from inside the xml_parse() function we can call
> _validate() and only consider the parsing done if the object
> validates.
> Its a good idea? Should I work on this?
Let's revisit this later. The kernel will just bail out if you pass
some invalid configuration, that's just fine by now.
Just stick to fixing the issues I spotted and make sure we have a
realistic testbench.
Thanks.
prev parent reply other threads:[~2013-06-22 12:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-18 20:58 [libnftables PATCH] test: add testbench for XML Arturo Borrero Gonzalez
2013-06-20 19:02 ` Pablo Neira Ayuso
2013-06-21 22:44 ` Arturo Borrero Gonzalez
2013-06-22 12:25 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130622122555.GA3597@localhost \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).