* [libnftables PATCH 1/2] src: utils: add verdict2str
@ 2013-07-25 20:20 Arturo Borrero Gonzalez
2013-07-25 20:20 ` [libnftables PATCH 2/2] set: XML parse Arturo Borrero Gonzalez
2013-07-25 20:33 ` [libnftables PATCH 1/2] src: utils: add verdict2str Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2013-07-25 20:20 UTC (permalink / raw)
To: netfilter-devel
Add verdict2str() and str2verdict() helper functions and use in XML.
I've followed nft_verdict_init() in net/netfilter/nf_tables_api.c
While at it, I've fixed a small style issue in the data_reg JSON output and a
bug in the data_reg XML parser:
The parser walked the top level tree, instead of single <data_reg> node.
This patch fixes it. Introduced at: 51370f0 src: add support for XML parsing.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
src/expr/data_reg.c | 54 ++++++++++++++++++++++-----------------------------
src/internal.h | 2 ++
src/utils.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 74 insertions(+), 31 deletions(-)
diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index b290b96..85c441e 100644
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -31,8 +31,8 @@ static int nft_data_reg_verdict_xml_parse(union nft_data_reg *reg, char *xml)
{
mxml_node_t *tree = NULL;
mxml_node_t *node = NULL;
- char *endptr;
- long int tmp;
+ int verdict;
+ const char *verdict_str;
tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
if (tree == NULL)
@@ -47,33 +47,30 @@ static int nft_data_reg_verdict_xml_parse(union nft_data_reg *reg, char *xml)
}
/* Get and validate <data_reg type="verdict" >*/
- if (mxmlElementGetAttr(tree, "type") == NULL) {
+ if (mxmlElementGetAttr(node, "type") == NULL) {
mxmlDelete(tree);
return -1;
}
- if (strcmp(mxmlElementGetAttr(tree, "type"), "verdict") != 0) {
+ if (strcmp(mxmlElementGetAttr(node, "type"), "verdict") != 0) {
mxmlDelete(tree);
return -1;
}
/* Get and set <verdict> */
- node = mxmlFindElement(tree, tree, "verdict", NULL, NULL,
- MXML_DESCEND_FIRST);
- if (node == NULL) {
+ verdict_str = nft_mxml_str_parse(tree, "verdict", MXML_DESCEND);
+ if (verdict_str == NULL) {
mxmlDelete(tree);
return -1;
}
- errno = 0;
- tmp = strtoll(node->child->value.opaque, &endptr, 10);
- if (tmp > INT_MAX || tmp < INT_MIN || errno != 0
- || strlen(endptr) > 0) {
+ verdict = nft_str2verdict(verdict_str);
+ if (verdict < 0) {
mxmlDelete(tree);
return -1;
}
- reg->verdict = tmp;
+ reg->verdict = (uint32_t)verdict;
mxmlDelete(tree);
return 0;
@@ -97,34 +94,27 @@ static int nft_data_reg_chain_xml_parse(union nft_data_reg *reg, char *xml)
}
/* Get and validate <data_reg type="chain" >*/
- if (mxmlElementGetAttr(tree, "type") == NULL) {
+ if (mxmlElementGetAttr(node, "type") == NULL) {
mxmlDelete(tree);
return -1;
}
- if (strcmp(mxmlElementGetAttr(tree, "type"), "chain") != 0) {
+ if (strcmp(mxmlElementGetAttr(node, "type"), "chain") != 0) {
mxmlDelete(tree);
return -1;
}
/* Get and set <chain> */
- node = mxmlFindElement(tree, tree, "chain", NULL, NULL, MXML_DESCEND);
- if (node == NULL) {
- mxmlDelete(tree);
- return -1;
- }
+ if (reg->chain)
+ free(reg->chain);
- /* no max len value to validate? */
- if (strlen(node->child->value.opaque) < 1) {
+ reg->chain = (char *)nft_mxml_str_parse(tree, "chain",
+ MXML_DESCEND);
+ if (reg->chain == NULL) {
mxmlDelete(tree);
return -1;
}
- if (reg->chain)
- free(reg->chain);
-
- reg->chain = strdup(node->child->value.opaque);
-
mxmlDelete(tree);
return 0;
}
@@ -346,13 +336,15 @@ int nft_data_reg_snprintf(char *buf, size_t size, union nft_data_reg *reg,
case NFT_RULE_O_XML:
return snprintf(buf, size,
"<data_reg type=\"verdict\">"
- "<verdict>%d</verdict>"
- "</data_reg>", reg->verdict);
+ "<verdict>%s</verdict>"
+ "</data_reg>",
+ nft_verdict2str(reg->verdict));
case NFT_RULE_O_JSON:
return snprintf(buf, size,
- "\"data_reg\": { \"type\" : \"verdict\", "
- "\"verdict\" : %d"
- "}", reg->verdict);
+ "\"data_reg\": {"
+ "\"type\" : \"verdict\", "
+ "\"verdict\" : \"%s\""
+ "}", nft_verdict2str(reg->verdict));
default:
break;
}
diff --git a/src/internal.h b/src/internal.h
index fc78233..b846814 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -49,6 +49,8 @@ const char *nft_mxml_str_parse(mxml_node_t *tree, const char *node_name, uint32_
const char *nft_family2str(uint32_t family);
int nft_str2family(const char *family);
int nft_strtoi(const char *string, int base, void *number, enum nft_type type);
+const char *nft_verdict2str(uint32_t verdict);
+int nft_str2verdict(const char *verdict);
struct expr_ops;
diff --git a/src/utils.c b/src/utils.c
index 4a0bb9c..2cdf4bf 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -17,6 +17,9 @@
#include <errno.h>
#include <inttypes.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+
const char *nft_family2str(uint32_t family)
{
switch (family) {
@@ -117,3 +120,49 @@ int nft_strtoi(const char *string, int base, void *out, enum nft_type type)
return 0;
}
+
+const char *nft_verdict2str(uint32_t verdict)
+{
+ switch (verdict) {
+ case NF_ACCEPT:
+ return "accept";
+ case NF_DROP:
+ return "drop";
+ case NF_QUEUE:
+ return "queue";
+ case NFT_CONTINUE:
+ return "continue";
+ case NFT_BREAK:
+ return "break";
+ case NFT_RETURN:
+ return "return";
+ case NFT_JUMP:
+ return "jump";
+ case NFT_GOTO:
+ return "goto";
+ default:
+ return "unknown";
+ }
+}
+
+int nft_str2verdict(const char *verdict)
+{
+ if (strcmp(verdict, "accept") == 0)
+ return NF_ACCEPT;
+ else if (strcmp(verdict, "drop") == 0)
+ return NF_DROP;
+ else if (strcmp(verdict, "queue") == 0)
+ return NF_QUEUE;
+ else if (strcmp(verdict, "continue") == 0)
+ return NFT_CONTINUE;
+ else if (strcmp(verdict, "break") == 0)
+ return NFT_BREAK;
+ else if (strcmp(verdict, "return") == 0)
+ return NFT_RETURN;
+ else if (strcmp(verdict, "jump") == 0)
+ return NFT_JUMP;
+ else if (strcmp(verdict, "goto") == 0)
+ return NFT_GOTO;
+
+ return -1;
+}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [libnftables PATCH 2/2] set: XML parse
2013-07-25 20:20 [libnftables PATCH 1/2] src: utils: add verdict2str Arturo Borrero Gonzalez
@ 2013-07-25 20:20 ` Arturo Borrero Gonzalez
2013-07-25 20:49 ` Pablo Neira Ayuso
2013-07-25 20:33 ` [libnftables PATCH 1/2] src: utils: add verdict2str Pablo Neira Ayuso
1 sibling, 1 reply; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2013-07-25 20:20 UTC (permalink / raw)
To: netfilter-devel
Sets are now parsed, following this previous snprintf pattern:
<set name="xx" table="xx" version="xx">
<set_flags>uint32_t</set_flags>
<key_type>uint32_t</key_type>
<key_len>size_t</key_len>
<data_type>uint32_t</data_type>
<data_len>size_t</data_len>
<set_elem>
<set_elem_flags>uint32_t</set_elem_flags>
<set_elem_key>
<data_reg type="value">
<len></len>
<dataN></dataN>
</data_reg>
</set_elem_key>
<set_elem_data>
<data_reg type="xx">
[...]
</data_reg>
</set_elem_data>
</set_elem>
</set>
Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
---
include/libnftables/set.h | 9 ++
src/libnftables.map | 2 +
src/mxml.c | 2 -
src/set.c | 174 +++++++++++++++++++++++++++++++++++++++++++++
src/set_elem.c | 85 +++++++++++++++++++++-
tests/nft-parsing-test.c | 10 +++
tests/xmlfiles/36-set.xml | 51 +++++++++++++
7 files changed, 328 insertions(+), 5 deletions(-)
create mode 100644 tests/xmlfiles/36-set.xml
diff --git a/include/libnftables/set.h b/include/libnftables/set.h
index 6023d50..4fc3a8d 100644
--- a/include/libnftables/set.h
+++ b/include/libnftables/set.h
@@ -52,6 +52,14 @@ struct nft_set *nft_set_list_iter_cur(struct nft_set_list_iter *iter);
struct nft_set *nft_set_list_iter_next(struct nft_set_list_iter *iter);
void nft_set_list_iter_destroy(struct nft_set_list_iter *iter);
+enum nft_set_parse_type {
+ NFT_SET_PARSE_NONE = 0,
+ NFT_SET_PARSE_XML,
+ NFT_SET_PARSE_MAX,
+};
+
+int nft_set_parse(struct nft_set *s, enum nft_set_parse_type type, char *data);
+
/*
* Set elements
*/
@@ -94,6 +102,7 @@ void nft_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set_elem
int nft_set_elem_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set_elem *s);
+int nft_set_elem_parse(struct nft_set_elem *e, enum nft_set_parse_type type, char *data);
int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *s, uint32_t type, uint32_t flags);
int nft_set_elem_foreach(struct nft_set *s, int (*cb)(struct nft_set_elem *e, void *data), void *data);
diff --git a/src/libnftables.map b/src/libnftables.map
index f2084d9..614c705 100644
--- a/src/libnftables.map
+++ b/src/libnftables.map
@@ -120,6 +120,7 @@ global:
nft_set_nlmsg_build_hdr;
nft_set_nlmsg_build_payload;
nft_set_nlmsg_parse;
+ nft_set_parse;
nft_set_snprintf;
nft_set_list_alloc;
@@ -149,6 +150,7 @@ global:
nft_set_elem_nlmsg_build_hdr;
nft_set_elem_nlmsg_build_payload;
nft_set_elem_nlmsg_parse;
+ nft_set_elem_parse;
nft_set_elem_snprintf;
nft_set_elems_nlmsg_build_payload;
diff --git a/src/mxml.c b/src/mxml.c
index f812bf6..3d6ada4 100644
--- a/src/mxml.c
+++ b/src/mxml.c
@@ -111,7 +111,7 @@ int nft_mxml_data_reg_parse(mxml_node_t *tree, const char *node_name,
}
node = mxmlFindElement(node, node, "data_reg", NULL, NULL,
- MXML_DESCEND);
+ MXML_DESCEND_FIRST);
if (node == NULL || node->child == NULL) {
errno = EINVAL;
goto err;
diff --git a/src/set.c b/src/set.c
index ef15527..5e1f8ed 100644
--- a/src/set.c
+++ b/src/set.c
@@ -16,6 +16,8 @@
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
+#include <limits.h>
+#include <errno.h>
#include <libmnl/libmnl.h>
#include <linux/netfilter/nfnetlink.h>
@@ -301,6 +303,178 @@ int nft_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s)
}
EXPORT_SYMBOL(nft_set_nlmsg_parse);
+static int nft_set_xml_parse(struct nft_set *s, char *xml)
+{
+#ifdef XML_PARSING
+ mxml_node_t *tree = NULL;
+ mxml_node_t *node = NULL;
+ mxml_node_t *save = NULL;
+ char *set_elem_str = NULL;
+ struct nft_set_elem *elem;
+ int version;
+ int family;
+
+ tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
+ if (tree == NULL) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ if (strcmp(tree->value.opaque, "set") != 0)
+ goto einval;
+
+ if (mxmlElementGetAttr(tree, "version") == NULL)
+ goto einval;
+
+ if (nft_strtoi(mxmlElementGetAttr(tree, "version"), 10, &version,
+ NFT_TYPE_U64) != 0)
+ goto err;
+
+ if (version != NFT_SET_XML_VERSION)
+ goto einval;
+
+ if (mxmlElementGetAttr(tree, "name") == NULL)
+ goto einval;
+
+ if (s->name)
+ free(s->name);
+
+ s->name = strdup(mxmlElementGetAttr(tree, "name"));
+ s->flags |= (1 << NFT_SET_ATTR_NAME);
+
+ if (mxmlElementGetAttr(tree, "table") == NULL)
+ goto einval;
+
+ if (s->table)
+ free(s->table);
+
+ s->table = strdup(mxmlElementGetAttr(tree, "table"));
+ s->flags |= (1 << NFT_SET_ATTR_TABLE);
+
+ node = mxmlFindElement(tree, tree, "family", NULL, NULL,
+ MXML_DESCEND_FIRST);
+ if (node == NULL)
+ goto einval;
+
+ if (node->child == NULL)
+ goto einval;
+
+ family = nft_str2family(node->child->value.opaque);
+
+ if (family < 0)
+ goto eafnosupport;
+
+ s->family = family;
+
+ s->flags |= (1 << NFT_SET_ATTR_FAMILY);
+
+ if (nft_mxml_num_parse(tree, "set_flags", MXML_DESCEND_FIRST,
+ BASE_DEC, &s->set_flags, NFT_TYPE_U32) != 0)
+ goto einval;
+
+ s->flags |= (1 << NFT_SET_ATTR_FLAGS);
+
+
+ if (nft_mxml_num_parse(tree, "key_type", MXML_DESCEND_FIRST,
+ BASE_DEC, &s->key_type, NFT_TYPE_U32) != 0)
+ goto einval;
+
+ s->flags |= (1 << NFT_SET_ATTR_KEY_TYPE);
+
+ if (nft_mxml_num_parse(tree, "key_len", MXML_DESCEND_FIRST,
+ BASE_DEC, &s->key_type, NFT_TYPE_U32) != 0)
+ goto einval;
+
+ s->flags |= (1 << NFT_SET_ATTR_KEY_LEN);
+
+ if (nft_mxml_num_parse(tree, "data_type", MXML_DESCEND_FIRST,
+ BASE_DEC, &s->data_type, NFT_TYPE_U32) != 0)
+ goto einval;
+
+ s->flags |= (1 << NFT_SET_ATTR_DATA_TYPE);
+
+ if (nft_mxml_num_parse(tree, "data_len", MXML_DESCEND_FIRST,
+ BASE_DEC, &s->data_len, NFT_TYPE_U32) != 0)
+ goto einval;
+
+ s->flags |= (1 << NFT_SET_ATTR_DATA_LEN);
+
+ /* Iterate over each <set_elem> */
+ for (node = mxmlFindElement(tree, tree, "set_elem", NULL,
+ NULL, MXML_DESCEND);
+ node != NULL;
+ node = mxmlFindElement(node, tree, "set_elem", NULL,
+ NULL, MXML_DESCEND)) {
+
+ elem = nft_set_elem_alloc();
+ if (elem == NULL)
+ goto enomem;
+
+ /* This is a hack for mxml to print just the current node */
+ save = node->next;
+ node->next = NULL;
+
+ set_elem_str = mxmlSaveAllocString(node, MXML_NO_CALLBACK);
+ if (set_elem_str == NULL) {
+ free(elem);
+ goto enomem;
+ }
+
+ if (nft_set_elem_parse(elem, NFT_SET_PARSE_XML,
+ set_elem_str) != 0) {
+ printf("nft_set_elem_parse err: %s\n", set_elem_str);
+ free(set_elem_str);
+ free(elem);
+ goto err;
+ }
+
+ node->next = save;
+ free(set_elem_str);
+
+ list_add_tail(&elem->head, &s->element_list);
+ }
+
+ mxmlDelete(tree);
+ return 0;
+einval:
+ errno = EINVAL;
+ mxmlDelete(tree);
+ return -1;
+eafnosupport:
+ errno = EAFNOSUPPORT;
+ mxmlDelete(tree);
+ return -1;
+enomem:
+ errno = ENOMEM;
+ mxmlDelete(tree);
+ return -1;
+err:
+ mxmlDelete(tree);
+ return -1;
+#else
+ errno = EOPNOTSUPP;
+ return -1;
+#endif
+}
+
+int nft_set_parse(struct nft_set *s, enum nft_set_parse_type type, char *data)
+{
+ int ret;
+
+ switch (type) {
+ case NFT_SET_PARSE_XML:
+ ret = nft_set_xml_parse(s, data);
+ break;
+ default:
+ ret = -1;
+ errno = EOPNOTSUPP;
+ break;
+ }
+
+ return ret;
+}
+EXPORT_SYMBOL(nft_set_parse);
+
static int nft_set_snprintf_json(char *buf, size_t size, struct nft_set *s,
uint32_t type, uint32_t flags)
{
diff --git a/src/set_elem.c b/src/set_elem.c
index 4adba91..724c312 100644
--- a/src/set_elem.c
+++ b/src/set_elem.c
@@ -16,6 +16,7 @@
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
+#include <errno.h>
#include <libmnl/libmnl.h>
#include <linux/netfilter/nfnetlink.h>
@@ -374,8 +375,83 @@ int nft_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s)
}
EXPORT_SYMBOL(nft_set_elems_nlmsg_parse);
+static int nft_set_elem_xml_parse(struct nft_set_elem *e, char *xml)
+{
+#ifdef XML_PARSING
+ mxml_node_t *tree = NULL;
+ int set_elem_data;
+
+ tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
+ if (tree == NULL) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ if (strcmp(tree->value.opaque, "set_elem") != 0)
+ goto einval;
+
+ if (nft_mxml_num_parse(tree, "set_elem_flags", MXML_DESCEND_FIRST,
+ BASE_DEC, &e->set_elem_flags,
+ NFT_TYPE_U32) != 0)
+ goto einval;
+
+ e->flags |= (1 << NFT_SET_ELEM_ATTR_FLAGS);
+
+ if (nft_mxml_data_reg_parse(tree, "set_elem_key",
+ &e->key) != DATA_VALUE)
+ goto einval;
+
+ e->flags |= (1 << NFT_SET_ELEM_ATTR_KEY);
+
+ set_elem_data = nft_mxml_data_reg_parse(tree, "set_elem_data",
+ &e->data);
+ switch (set_elem_data) {
+ case DATA_VALUE:
+ e->flags |= (1 << NFT_SET_ELEM_ATTR_DATA);
+ break;
+ case DATA_VERDICT:
+ e->flags |= (1 << NFT_SET_ELEM_ATTR_VERDICT);
+ break;
+ case DATA_CHAIN:
+ e->flags |= (1 << NFT_SET_ELEM_ATTR_CHAIN);
+ break;
+ default:
+ goto einval;
+ }
+
+ mxmlDelete(tree);
+ return 0;
+
+einval:
+ errno = EINVAL;
+ mxmlDelete(tree);
+ return -1;
+#else
+ errno = EOPNOTSUPP;
+ return -1;
+#endif
+}
+
+int nft_set_elem_parse(struct nft_set_elem *e,
+ enum nft_set_parse_type type, char *data) {
+ int ret;
+
+ switch (type) {
+ case NFT_SET_PARSE_XML:
+ ret = nft_set_elem_xml_parse(e, data);
+ break;
+ default:
+ errno = EOPNOTSUPP;
+ ret = -1;
+ break;
+ }
+
+ return ret;
+}
+EXPORT_SYMBOL(nft_set_elem_parse);
+
static int nft_set_elem_snprintf_json(char *buf, size_t size,
- struct nft_set_elem *e, uint32_t flags)
+ struct nft_set_elem *e, uint32_t flags)
{
int ret, len = size, offset = 0, type = -1;
@@ -414,8 +490,9 @@ static int nft_set_elem_snprintf_json(char *buf, size_t size,
return offset;
}
-static int nft_set_elem_snprintf_default(char *buf, size_t size,
- struct nft_set_elem *e)
+static
+int nft_set_elem_snprintf_default(char *buf, size_t size,
+ struct nft_set_elem *e, uint32_t flags)
{
int ret, len = size, offset = 0, i;
@@ -505,7 +582,7 @@ int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *e,
{
switch(type) {
case NFT_SET_O_DEFAULT:
- return nft_set_elem_snprintf_default(buf, size, e);
+ return nft_set_elem_snprintf_default(buf, size, e, flags);
case NFT_SET_O_XML:
return nft_set_elem_snprintf_xml(buf, size, e, flags);
case NFT_SET_O_JSON:
diff --git a/tests/nft-parsing-test.c b/tests/nft-parsing-test.c
index 4fe60c3..c75d97b 100644
--- a/tests/nft-parsing-test.c
+++ b/tests/nft-parsing-test.c
@@ -9,6 +9,7 @@
#include <libnftables/table.h>
#include <libnftables/chain.h>
#include <libnftables/rule.h>
+#include <libnftables/set.h>
#ifdef XML_PARSING
#include <mxml.h>
@@ -21,6 +22,7 @@ static int test_xml(const char *filename)
struct nft_table *t = NULL;
struct nft_chain *c = NULL;
struct nft_rule *r = NULL;
+ struct nft_set *s = NULL;
FILE *fp;
mxml_node_t *tree = NULL;;
char *xml = NULL;
@@ -61,6 +63,14 @@ static int test_xml(const char *filename)
nft_rule_free(r);
}
+ } else if (strcmp(tree->value.opaque, "set") == 0) {
+ s = nft_set_alloc();
+ if (s != NULL) {
+ if (nft_set_parse(s, NFT_SET_PARSE_XML, xml) == 0)
+ ret = 0;
+
+ nft_set_free(s);
+ }
}
return ret;
diff --git a/tests/xmlfiles/36-set.xml b/tests/xmlfiles/36-set.xml
new file mode 100644
index 0000000..71ca189
--- /dev/null
+++ b/tests/xmlfiles/36-set.xml
@@ -0,0 +1,51 @@
+<set name="set1" table="filter" version="0">
+ <family>ip</family>
+ <set_flags>6</set_flags>
+ <key_type>0</key_type>
+ <key_len>12</key_len>
+ <data_type>0</data_type>
+ <data_len>12</data_len>
+ <set_elem>
+ <set_elem_flags>1</set_elem_flags>
+ <set_elem_key>
+ <data_reg type="value">
+ <len>4</len>
+ <data0>0xffaabbdd</data0>
+ </data_reg>
+ </set_elem_key>
+ <set_elem_data>
+ <data_reg type="verdict">
+ <verdict>accept</verdict>
+ </data_reg>
+ </set_elem_data>
+ </set_elem>
+ <set_elem>
+ <set_elem_flags>1</set_elem_flags>
+ <set_elem_key>
+ <data_reg type="value">
+ <len>4</len>
+ <data0>0xffaabb11</data0>
+ </data_reg>
+ </set_elem_key>
+ <set_elem_data>
+ <data_reg type="chain">
+ <chain>test</chain>
+ </data_reg>
+ </set_elem_data>
+ </set_elem>
+ <set_elem>
+ <set_elem_flags>1</set_elem_flags>
+ <set_elem_key>
+ <data_reg type="value">
+ <len>4</len>
+ <data0>0xffaabb11</data0>
+ </data_reg>
+ </set_elem_key>
+ <set_elem_data>
+ <data_reg type="value">
+ <len>4</len>
+ <data0>0xcafecafe</data0>
+ </data_reg>
+ </set_elem_data>
+ </set_elem>
+</set>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [libnftables PATCH 1/2] src: utils: add verdict2str
2013-07-25 20:20 [libnftables PATCH 1/2] src: utils: add verdict2str Arturo Borrero Gonzalez
2013-07-25 20:20 ` [libnftables PATCH 2/2] set: XML parse Arturo Borrero Gonzalez
@ 2013-07-25 20:33 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-07-25 20:33 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: netfilter-devel
On Thu, Jul 25, 2013 at 10:20:33PM +0200, Arturo Borrero Gonzalez wrote:
> Add verdict2str() and str2verdict() helper functions and use in XML.
>
> I've followed nft_verdict_init() in net/netfilter/nf_tables_api.c
>
> While at it, I've fixed a small style issue in the data_reg JSON output and a
> bug in the data_reg XML parser:
> The parser walked the top level tree, instead of single <data_reg> node.
> This patch fixes it. Introduced at: 51370f0 src: add support for XML parsing.
Applied, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [libnftables PATCH 2/2] set: XML parse
2013-07-25 20:20 ` [libnftables PATCH 2/2] set: XML parse Arturo Borrero Gonzalez
@ 2013-07-25 20:49 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-07-25 20:49 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: netfilter-devel
On Thu, Jul 25, 2013 at 10:20:39PM +0200, Arturo Borrero Gonzalez wrote:
> Sets are now parsed, following this previous snprintf pattern:
>
> <set name="xx" table="xx" version="xx">
> <set_flags>uint32_t</set_flags>
> <key_type>uint32_t</key_type>
> <key_len>size_t</key_len>
> <data_type>uint32_t</data_type>
> <data_len>size_t</data_len>
> <set_elem>
> <set_elem_flags>uint32_t</set_elem_flags>
> <set_elem_key>
> <data_reg type="value">
> <len></len>
> <dataN></dataN>
> </data_reg>
> </set_elem_key>
> <set_elem_data>
> <data_reg type="xx">
> [...]
> </data_reg>
> </set_elem_data>
> </set_elem>
> </set>
>
>
> Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com>
> ---
> include/libnftables/set.h | 9 ++
> src/libnftables.map | 2 +
> src/mxml.c | 2 -
> src/set.c | 174 +++++++++++++++++++++++++++++++++++++++++++++
> src/set_elem.c | 85 +++++++++++++++++++++-
> tests/nft-parsing-test.c | 10 +++
> tests/xmlfiles/36-set.xml | 51 +++++++++++++
> 7 files changed, 328 insertions(+), 5 deletions(-)
> create mode 100644 tests/xmlfiles/36-set.xml
>
> diff --git a/include/libnftables/set.h b/include/libnftables/set.h
> index 6023d50..4fc3a8d 100644
> --- a/include/libnftables/set.h
> +++ b/include/libnftables/set.h
> @@ -52,6 +52,14 @@ struct nft_set *nft_set_list_iter_cur(struct nft_set_list_iter *iter);
> struct nft_set *nft_set_list_iter_next(struct nft_set_list_iter *iter);
> void nft_set_list_iter_destroy(struct nft_set_list_iter *iter);
>
> +enum nft_set_parse_type {
> + NFT_SET_PARSE_NONE = 0,
> + NFT_SET_PARSE_XML,
> + NFT_SET_PARSE_MAX,
> +};
> +
> +int nft_set_parse(struct nft_set *s, enum nft_set_parse_type type, char *data);
> +
> /*
> * Set elements
> */
> @@ -94,6 +102,7 @@ void nft_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set_elem
>
> int nft_set_elem_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set_elem *s);
>
> +int nft_set_elem_parse(struct nft_set_elem *e, enum nft_set_parse_type type, char *data);
> int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *s, uint32_t type, uint32_t flags);
>
> int nft_set_elem_foreach(struct nft_set *s, int (*cb)(struct nft_set_elem *e, void *data), void *data);
> diff --git a/src/libnftables.map b/src/libnftables.map
> index f2084d9..614c705 100644
> --- a/src/libnftables.map
> +++ b/src/libnftables.map
> @@ -120,6 +120,7 @@ global:
> nft_set_nlmsg_build_hdr;
> nft_set_nlmsg_build_payload;
> nft_set_nlmsg_parse;
> + nft_set_parse;
> nft_set_snprintf;
>
> nft_set_list_alloc;
> @@ -149,6 +150,7 @@ global:
> nft_set_elem_nlmsg_build_hdr;
> nft_set_elem_nlmsg_build_payload;
> nft_set_elem_nlmsg_parse;
> + nft_set_elem_parse;
> nft_set_elem_snprintf;
>
> nft_set_elems_nlmsg_build_payload;
> diff --git a/src/mxml.c b/src/mxml.c
> index f812bf6..3d6ada4 100644
> --- a/src/mxml.c
> +++ b/src/mxml.c
> @@ -111,7 +111,7 @@ int nft_mxml_data_reg_parse(mxml_node_t *tree, const char *node_name,
> }
>
> node = mxmlFindElement(node, node, "data_reg", NULL, NULL,
> - MXML_DESCEND);
> + MXML_DESCEND_FIRST);
> if (node == NULL || node->child == NULL) {
> errno = EINVAL;
> goto err;
> diff --git a/src/set.c b/src/set.c
> index ef15527..5e1f8ed 100644
> --- a/src/set.c
> +++ b/src/set.c
> @@ -16,6 +16,8 @@
> #include <stdlib.h>
> #include <string.h>
> #include <netinet/in.h>
> +#include <limits.h>
> +#include <errno.h>
>
> #include <libmnl/libmnl.h>
> #include <linux/netfilter/nfnetlink.h>
> @@ -301,6 +303,178 @@ int nft_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s)
> }
> EXPORT_SYMBOL(nft_set_nlmsg_parse);
>
> +static int nft_set_xml_parse(struct nft_set *s, char *xml)
> +{
> +#ifdef XML_PARSING
> + mxml_node_t *tree = NULL;
no need to init this variable.
> + mxml_node_t *node = NULL;
> + mxml_node_t *save = NULL;
> + char *set_elem_str = NULL;
> + struct nft_set_elem *elem;
> + int version;
> + int family;
> +
> + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
> + if (tree == NULL) {
> + errno = EINVAL;
> + return -1;
> + }
> +
> + if (strcmp(tree->value.opaque, "set") != 0)
> + goto einval;
> +
> + if (mxmlElementGetAttr(tree, "version") == NULL)
> + goto einval;
> +
> + if (nft_strtoi(mxmlElementGetAttr(tree, "version"), 10, &version,
> + NFT_TYPE_U64) != 0)
> + goto err;
> +
> + if (version != NFT_SET_XML_VERSION)
> + goto einval;
> +
> + if (mxmlElementGetAttr(tree, "name") == NULL)
> + goto einval;
> +
> + if (s->name)
> + free(s->name);
> +
> + s->name = strdup(mxmlElementGetAttr(tree, "name"));
> + s->flags |= (1 << NFT_SET_ATTR_NAME);
> +
> + if (mxmlElementGetAttr(tree, "table") == NULL)
> + goto einval;
> +
> + if (s->table)
> + free(s->table);
> +
> + s->table = strdup(mxmlElementGetAttr(tree, "table"));
> + s->flags |= (1 << NFT_SET_ATTR_TABLE);
> +
> + node = mxmlFindElement(tree, tree, "family", NULL, NULL,
> + MXML_DESCEND_FIRST);
> + if (node == NULL)
> + goto einval;
> +
> + if (node->child == NULL)
> + goto einval;
> +
> + family = nft_str2family(node->child->value.opaque);
> +
> + if (family < 0)
> + goto eafnosupport;
> +
> + s->family = family;
> +
> + s->flags |= (1 << NFT_SET_ATTR_FAMILY);
> +
> + if (nft_mxml_num_parse(tree, "set_flags", MXML_DESCEND_FIRST,
> + BASE_DEC, &s->set_flags, NFT_TYPE_U32) != 0)
> + goto einval;
nft_mxml_num_parse already sets errno.
> +
> + s->flags |= (1 << NFT_SET_ATTR_FLAGS);
> +
> +
> + if (nft_mxml_num_parse(tree, "key_type", MXML_DESCEND_FIRST,
> + BASE_DEC, &s->key_type, NFT_TYPE_U32) != 0)
> + goto einval;
> +
> + s->flags |= (1 << NFT_SET_ATTR_KEY_TYPE);
> +
> + if (nft_mxml_num_parse(tree, "key_len", MXML_DESCEND_FIRST,
> + BASE_DEC, &s->key_type, NFT_TYPE_U32) != 0)
> + goto einval;
> +
> + s->flags |= (1 << NFT_SET_ATTR_KEY_LEN);
> +
> + if (nft_mxml_num_parse(tree, "data_type", MXML_DESCEND_FIRST,
> + BASE_DEC, &s->data_type, NFT_TYPE_U32) != 0)
> + goto einval;
> +
> + s->flags |= (1 << NFT_SET_ATTR_DATA_TYPE);
> +
> + if (nft_mxml_num_parse(tree, "data_len", MXML_DESCEND_FIRST,
> + BASE_DEC, &s->data_len, NFT_TYPE_U32) != 0)
> + goto einval;
> +
> + s->flags |= (1 << NFT_SET_ATTR_DATA_LEN);
> +
> + /* Iterate over each <set_elem> */
> + for (node = mxmlFindElement(tree, tree, "set_elem", NULL,
> + NULL, MXML_DESCEND);
> + node != NULL;
> + node = mxmlFindElement(node, tree, "set_elem", NULL,
> + NULL, MXML_DESCEND)) {
> +
> + elem = nft_set_elem_alloc();
> + if (elem == NULL)
> + goto enomem;
already sets ENOMEM, no need for this.
> +
> + /* This is a hack for mxml to print just the current node */
> + save = node->next;
> + node->next = NULL;
> +
> + set_elem_str = mxmlSaveAllocString(node, MXML_NO_CALLBACK);
> + if (set_elem_str == NULL) {
> + free(elem);
> + goto enomem;
> + }
> +
> + if (nft_set_elem_parse(elem, NFT_SET_PARSE_XML,
> + set_elem_str) != 0) {
> + printf("nft_set_elem_parse err: %s\n", set_elem_str);
> + free(set_elem_str);
> + free(elem);
> + goto err;
> + }
> +
> + node->next = save;
> + free(set_elem_str);
> +
> + list_add_tail(&elem->head, &s->element_list);
> + }
Please, move element parsing to another function. Making functions
smaller help maintainability.
> +
> + mxmlDelete(tree);
> + return 0;
> +einval:
rename this to err:, now it's the only possible error in this
function.
> + errno = EINVAL;
> + mxmlDelete(tree);
> + return -1;
> +eafnosupport:
> + errno = EAFNOSUPPORT;
> + mxmlDelete(tree);
> + return -1;
no need for this, not nft_family2str sets it.
> +enomem:
> + errno = ENOMEM;
> + mxmlDelete(tree);
> + return -1;
remove this.
> +err:
> + mxmlDelete(tree);
> + return -1;
> +#else
> + errno = EOPNOTSUPP;
> + return -1;
> +#endif
> +}
> +
> +int nft_set_parse(struct nft_set *s, enum nft_set_parse_type type, char *data)
> +{
> + int ret;
> +
> + switch (type) {
> + case NFT_SET_PARSE_XML:
> + ret = nft_set_xml_parse(s, data);
> + break;
> + default:
> + ret = -1;
> + errno = EOPNOTSUPP;
> + break;
> + }
> +
> + return ret;
> +}
> +EXPORT_SYMBOL(nft_set_parse);
> +
> static int nft_set_snprintf_json(char *buf, size_t size, struct nft_set *s,
> uint32_t type, uint32_t flags)
> {
> diff --git a/src/set_elem.c b/src/set_elem.c
> index 4adba91..724c312 100644
> --- a/src/set_elem.c
> +++ b/src/set_elem.c
> @@ -16,6 +16,7 @@
> #include <stdlib.h>
> #include <string.h>
> #include <netinet/in.h>
> +#include <errno.h>
>
> #include <libmnl/libmnl.h>
> #include <linux/netfilter/nfnetlink.h>
> @@ -374,8 +375,83 @@ int nft_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s)
> }
> EXPORT_SYMBOL(nft_set_elems_nlmsg_parse);
>
> +static int nft_set_elem_xml_parse(struct nft_set_elem *e, char *xml)
> +{
> +#ifdef XML_PARSING
> + mxml_node_t *tree = NULL;
> + int set_elem_data;
> +
> + tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
> + if (tree == NULL) {
> + errno = EINVAL;
> + return -1;
> + }
> +
> + if (strcmp(tree->value.opaque, "set_elem") != 0)
> + goto einval;
> +
> + if (nft_mxml_num_parse(tree, "set_elem_flags", MXML_DESCEND_FIRST,
> + BASE_DEC, &e->set_elem_flags,
> + NFT_TYPE_U32) != 0)
> + goto einval;
no need to einval here, num_parse already sets.
> +
> + e->flags |= (1 << NFT_SET_ELEM_ATTR_FLAGS);
> +
> + if (nft_mxml_data_reg_parse(tree, "set_elem_key",
> + &e->key) != DATA_VALUE)
> + goto einval;
> +
> + e->flags |= (1 << NFT_SET_ELEM_ATTR_KEY);
> +
> + set_elem_data = nft_mxml_data_reg_parse(tree, "set_elem_data",
> + &e->data);
> + switch (set_elem_data) {
> + case DATA_VALUE:
> + e->flags |= (1 << NFT_SET_ELEM_ATTR_DATA);
> + break;
> + case DATA_VERDICT:
> + e->flags |= (1 << NFT_SET_ELEM_ATTR_VERDICT);
> + break;
> + case DATA_CHAIN:
> + e->flags |= (1 << NFT_SET_ELEM_ATTR_CHAIN);
> + break;
> + default:
> + goto einval;
> + }
> +
> + mxmlDelete(tree);
> + return 0;
> +
> +einval:
> + errno = EINVAL;
> + mxmlDelete(tree);
> + return -1;
> +#else
> + errno = EOPNOTSUPP;
> + return -1;
> +#endif
> +}
> +
> +int nft_set_elem_parse(struct nft_set_elem *e,
> + enum nft_set_parse_type type, char *data) {
> + int ret;
> +
> + switch (type) {
> + case NFT_SET_PARSE_XML:
> + ret = nft_set_elem_xml_parse(e, data);
> + break;
> + default:
> + errno = EOPNOTSUPP;
> + ret = -1;
> + break;
> + }
> +
> + return ret;
> +}
> +EXPORT_SYMBOL(nft_set_elem_parse);
> +
> static int nft_set_elem_snprintf_json(char *buf, size_t size,
> - struct nft_set_elem *e, uint32_t flags)
> + struct nft_set_elem *e, uint32_t flags)
> {
> int ret, len = size, offset = 0, type = -1;
>
> @@ -414,8 +490,9 @@ static int nft_set_elem_snprintf_json(char *buf, size_t size,
> return offset;
> }
>
> -static int nft_set_elem_snprintf_default(char *buf, size_t size,
> - struct nft_set_elem *e)
> +static
> +int nft_set_elem_snprintf_default(char *buf, size_t size,
> + struct nft_set_elem *e, uint32_t flags)
> {
> int ret, len = size, offset = 0, i;
>
> @@ -505,7 +582,7 @@ int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *e,
> {
> switch(type) {
> case NFT_SET_O_DEFAULT:
> - return nft_set_elem_snprintf_default(buf, size, e);
> + return nft_set_elem_snprintf_default(buf, size, e, flags);
> case NFT_SET_O_XML:
> return nft_set_elem_snprintf_xml(buf, size, e, flags);
> case NFT_SET_O_JSON:
> diff --git a/tests/nft-parsing-test.c b/tests/nft-parsing-test.c
> index 4fe60c3..c75d97b 100644
> --- a/tests/nft-parsing-test.c
> +++ b/tests/nft-parsing-test.c
> @@ -9,6 +9,7 @@
> #include <libnftables/table.h>
> #include <libnftables/chain.h>
> #include <libnftables/rule.h>
> +#include <libnftables/set.h>
>
> #ifdef XML_PARSING
> #include <mxml.h>
> @@ -21,6 +22,7 @@ static int test_xml(const char *filename)
> struct nft_table *t = NULL;
> struct nft_chain *c = NULL;
> struct nft_rule *r = NULL;
> + struct nft_set *s = NULL;
> FILE *fp;
> mxml_node_t *tree = NULL;;
> char *xml = NULL;
> @@ -61,6 +63,14 @@ static int test_xml(const char *filename)
>
> nft_rule_free(r);
> }
> + } else if (strcmp(tree->value.opaque, "set") == 0) {
> + s = nft_set_alloc();
> + if (s != NULL) {
> + if (nft_set_parse(s, NFT_SET_PARSE_XML, xml) == 0)
> + ret = 0;
> +
> + nft_set_free(s);
> + }
> }
>
> return ret;
> diff --git a/tests/xmlfiles/36-set.xml b/tests/xmlfiles/36-set.xml
> new file mode 100644
> index 0000000..71ca189
> --- /dev/null
> +++ b/tests/xmlfiles/36-set.xml
> @@ -0,0 +1,51 @@
> +<set name="set1" table="filter" version="0">
> + <family>ip</family>
> + <set_flags>6</set_flags>
> + <key_type>0</key_type>
> + <key_len>12</key_len>
> + <data_type>0</data_type>
> + <data_len>12</data_len>
> + <set_elem>
> + <set_elem_flags>1</set_elem_flags>
> + <set_elem_key>
> + <data_reg type="value">
> + <len>4</len>
> + <data0>0xffaabbdd</data0>
> + </data_reg>
> + </set_elem_key>
> + <set_elem_data>
> + <data_reg type="verdict">
> + <verdict>accept</verdict>
> + </data_reg>
> + </set_elem_data>
> + </set_elem>
> + <set_elem>
> + <set_elem_flags>1</set_elem_flags>
> + <set_elem_key>
> + <data_reg type="value">
> + <len>4</len>
> + <data0>0xffaabb11</data0>
> + </data_reg>
> + </set_elem_key>
> + <set_elem_data>
> + <data_reg type="chain">
> + <chain>test</chain>
> + </data_reg>
> + </set_elem_data>
> + </set_elem>
> + <set_elem>
> + <set_elem_flags>1</set_elem_flags>
> + <set_elem_key>
> + <data_reg type="value">
> + <len>4</len>
> + <data0>0xffaabb11</data0>
> + </data_reg>
> + </set_elem_key>
> + <set_elem_data>
> + <data_reg type="value">
> + <len>4</len>
> + <data0>0xcafecafe</data0>
> + </data_reg>
> + </set_elem_data>
> + </set_elem>
> +</set>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-07-25 20:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-25 20:20 [libnftables PATCH 1/2] src: utils: add verdict2str Arturo Borrero Gonzalez
2013-07-25 20:20 ` [libnftables PATCH 2/2] set: XML parse Arturo Borrero Gonzalez
2013-07-25 20:49 ` Pablo Neira Ayuso
2013-07-25 20:33 ` [libnftables PATCH 1/2] src: utils: add verdict2str Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).