[libnftables PATCH 1/6] table: json: Add Json parser support

[libnftables PATCH 1/6] table: json: Add Json parser support

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Add function for parsing tables in format JSON

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 configure.ac                |    9 ++++-
 include/libnftables/table.h |    1 +
 src/Makefile.am             |    3 +-
 src/internal.h              |   10 +++++
 src/jansson.c               |   79 +++++++++++++++++++++++++++++++++++++++++++
 src/table.c                 |   69 ++++++++++++++++++++++++++++++++++++++
 src/utils.c                 |   61 ++++++++++++++++++++-------------
 7 files changed, 206 insertions(+), 26 deletions(-)
 create mode 100644 src/jansson.c

diff --git a/configure.ac b/configure.ac
index c8075e9..834c0a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -18,7 +18,10 @@ AC_ARG_WITH([xml-parsing], AS_HELP_STRING([--with-xml-parsing], [XML parsing sup
 AS_IF([test "x$with_xml_parsing" = "xyes"], [
 	PKG_CHECK_MODULES([LIBXML], [mxml >= 2.6])
 ])
-
+AC_ARG_WITH([json-parsing], AS_HELP_STRING([--with-json-parsing], [JSON parsing support]))
+AS_IF([test "x$with_json_parsing" = "xyes"], [
+	PKG_CHECK_MODULES([LIBJSON], [jansson >= 2.3])
+])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -33,6 +36,10 @@ regular_CPPFLAGS="-D_FILE_OFFSET_BITS=64 -D_REENTRANT"
 AS_IF([test "x$with_xml_parsing" = "xyes"], [
 	regular_CPPFLAGS="$regular_CPPFLAGS -DXML_PARSING"
 ])
+
+AS_IF([test "x$with_json_parsing" = "xyes"], [
+	regular_CPPFLAGS="$regular_CPPFLAGS -DJSON_PARSING"
+])
 regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wshadow -Wstrict-prototypes \
 	-Wformat=2 -pipe"
diff --git a/include/libnftables/table.h b/include/libnftables/table.h
index f3f3e89..24ca374 100644
--- a/include/libnftables/table.h
+++ b/include/libnftables/table.h
@@ -40,6 +40,7 @@ enum {
 enum nft_table_parse_type {
 	NFT_TABLE_PARSE_NONE	= 0,
 	NFT_TABLE_PARSE_XML,
+	NFT_TABLE_PARSE_JSON,
 	NFT_TABLE_PARSE_MAX,
 };
 
diff --git a/src/Makefile.am b/src/Makefile.am
index 6496511..51b40a2 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,7 +1,7 @@
 include $(top_srcdir)/Make_global.am
 lib_LTLIBRARIES = libnftables.la
 
-libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBXML_LIBS}
+libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS}
 libnftables_la_LDFLAGS = -Wl,--version-script=$(srcdir)/libnftables.map \
 			 -version-info $(LIBVERSION)
 libnftables_la_SOURCES = utils.c		\
@@ -11,6 +11,7 @@ libnftables_la_SOURCES = utils.c		\
 			 set.c			\
 			 set_elem.c		\
 			 mxml.c			\
+			 jansson.c		\
 			 expr.c			\
 			 expr_ops.c		\
 			 expr/bitwise.c		\
diff --git a/src/internal.h b/src/internal.h
index b846814..47cd635 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -12,6 +12,7 @@
 #include "linux_list.h"
 
 #include <stdint.h>
+#include <stdbool.h>
 
 #define BASE_DEC 10
 #define BASE_HEX 16
@@ -37,6 +38,14 @@ int nft_mxml_num_parse(mxml_node_t *tree, const char *node_name, uint32_t mxml_f
 const char *nft_mxml_str_parse(mxml_node_t *tree, const char *node_name, uint32_t mxml_flags);
 #endif
 
+#ifdef JSON_PARSING
+#include <jansson.h>
+int nft_jansson_value_parse_val(json_t *root, const char *tag,
+				  int type, void *out);
+const char *nft_jansson_value_parse_str(json_t *root, const char *tag);
+bool nft_jansson_node_exist(json_t *root, const char *tag);
+#endif
+
 #define NFT_TABLE_XML_VERSION 0
 #define NFT_CHAIN_XML_VERSION 0
 #define NFT_RULE_XML_VERSION 0
@@ -51,6 +60,7 @@ int nft_str2family(const char *family);
 int nft_strtoi(const char *string, int base, void *number, enum nft_type type);
 const char *nft_verdict2str(uint32_t verdict);
 int nft_str2verdict(const char *verdict);
+int nft_get_value(enum nft_type type, void *val, void *out);
 
 struct expr_ops;
 
diff --git a/src/jansson.c b/src/jansson.c
new file mode 100644
index 0000000..2b15240
--- /dev/null
+++ b/src/jansson.c
@@ -0,0 +1,79 @@
+/*
+ * (C) 2013 by Álvaro Neira Ayuso <alvaroneay@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <internal.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <string.h>
+
+#ifdef JSON_PARSING
+
+static int nft_jansson_load_int_node(json_t *root, const char *tag,
+				      json_int_t *val)
+{
+	json_t *node;
+
+	node = json_object_get(root, tag);
+	if (node == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (!json_is_integer(node)) {
+		errno = ERANGE;
+		goto err;
+	}
+
+	*val = json_integer_value(node);
+
+	return 0;
+err:
+	return -1;
+}
+
+const char *nft_jansson_value_parse_str(json_t *root, const char *tag)
+{
+	json_t *node;
+	const char *val;
+
+	node = json_object_get(root, tag);
+	if (node == NULL)
+		return NULL;
+
+	val = json_string_value(node);
+
+	return val;
+}
+
+int nft_jansson_value_parse_val(json_t *root, const char *tag, int type,
+				  void *out)
+{
+	json_int_t val;
+
+	if (nft_jansson_load_int_node(root, tag, &val) == -1)
+		goto err;
+
+	if (nft_get_value(type, &val, out) == -1)
+		goto err;
+
+	return 0;
+err:
+	errno = ERANGE;
+	return -1;
+}
+
+bool nft_jansson_node_exist(json_t *root, const char *tag)
+{
+	return json_object_get(root, tag) != NULL;
+}
+#endif
diff --git a/src/table.c b/src/table.c
index d814668..65797e8 100644
--- a/src/table.c
+++ b/src/table.c
@@ -295,6 +295,72 @@ static int nft_table_xml_parse(struct nft_table *t, char *xml)
 #endif
 }
 
+static int nft_table_json_parse(struct nft_table *t, char *json)
+{
+#ifdef JSON_PARSING
+	json_t *root;
+	json_error_t error;
+	uint64_t version;
+	uint32_t table_flag;
+	const char *str = NULL;
+
+	root = json_loadb(json, strlen(json), 0, &error);
+	if (!root) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	root = json_object_get(root, "table");
+	if (root == NULL) {
+		errno = ERANGE;
+		return -1;
+	}
+
+	if (nft_jansson_value_parse_val(root, "version",
+					NFT_TYPE_U64, &version) == -1)
+		goto err;
+
+	if (version != NFT_TABLE_JSON_VERSION || version == -1)
+		goto err;
+
+	str = nft_jansson_value_parse_str(root, "name");
+	if (str == NULL)
+		goto err;
+
+	nft_table_attr_set_str(t, NFT_TABLE_ATTR_NAME, strdup(str));
+
+	root = json_object_get(root, "properties");
+	if (root == NULL)
+		goto err;
+
+	str = nft_jansson_value_parse_str(root, "family");
+	if (str == NULL)
+		goto err;
+
+	if (nft_str2family(str) < 0)
+		goto err;
+
+	nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FAMILY, nft_str2family(str));
+
+	if (nft_jansson_value_parse_val(root, "table_flags",
+					NFT_TYPE_U32, &table_flag) == -1)
+		goto err;
+
+	nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FLAGS, table_flag);
+
+	free(root);
+	return 0;
+err:
+	free(root);
+	errno = ERANGE;
+	return -1;
+
+#else
+	errno = EOPNOTSUPP;
+	return -1;
+#endif
+}
+
 int nft_table_parse(struct nft_table *t, enum nft_table_parse_type type,
 		    char *data)
 {
@@ -304,6 +370,9 @@ int nft_table_parse(struct nft_table *t, enum nft_table_parse_type type,
 	case NFT_TABLE_PARSE_XML:
 		ret = nft_table_xml_parse(t, data);
 		break;
+	case NFT_TABLE_PARSE_JSON:
+		ret = nft_table_json_parse(t, data);
+		break;
 	default:
 		ret = -1;
 		errno = EOPNOTSUPP;
diff --git a/src/utils.c b/src/utils.c
index ebd40b5..c6bf9ff 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -66,57 +66,70 @@ static struct {
 	[NFT_TYPE_S64]	= { .len = sizeof(int64_t), .min = INT64_MIN, .max = INT64_MAX },
 };
 
-int nft_strtoi(const char *string, int base, void *out, enum nft_type type)
+
+int nft_get_value(enum nft_type type, void *val, void *out)
 {
-	int64_t sval = 0;
-	uint64_t uval = -1;
-	char *endptr;
+	int64_t sval;
+	uint64_t uval;
 
 	switch (type) {
 	case NFT_TYPE_U8:
 	case NFT_TYPE_U16:
 	case NFT_TYPE_U32:
 	case NFT_TYPE_U64:
-		uval = strtoll(string, &endptr, base);
+		uval = *((uint64_t *)val);
+		if (uval > basetype[type].max) {
+			errno = ERANGE;
+			return -1;
+		}
+		memcpy(out, &uval, basetype[type].len);
 		break;
 	case NFT_TYPE_S8:
 	case NFT_TYPE_S16:
 	case NFT_TYPE_S32:
 	case NFT_TYPE_S64:
-		sval = strtoull(string, &endptr, base);
+		sval = *((int64_t *)val);
+		if (sval < basetype[type].min ||
+		    sval > (int64_t)basetype[type].max) {
+			errno = ERANGE;
+			return -1;
+		}
+		memcpy(out, &sval, basetype[type].len);
 		break;
-	default:
-		errno = EINVAL;
-		return -1;
 	}
 
-	if (*endptr) {
-		errno = EINVAL;
-		return -1;
-	}
+	return 0;
+}
+
+int nft_strtoi(const char *string, int base, void *out, enum nft_type type)
+{
+	int64_t sval = 0;
+	uint64_t uval = -1;
+	char *endptr;
 
 	switch (type) {
 	case NFT_TYPE_U8:
 	case NFT_TYPE_U16:
 	case NFT_TYPE_U32:
 	case NFT_TYPE_U64:
-		if (uval > basetype[type].max) {
-			errno = ERANGE;
-			return -1;
-		}
-		memcpy(out, &uval, basetype[type].len);
+		uval = strtoll(string, &endptr, base);
+		nft_get_value(type, &uval, out);
 		break;
 	case NFT_TYPE_S8:
 	case NFT_TYPE_S16:
 	case NFT_TYPE_S32:
 	case NFT_TYPE_S64:
-		if (sval < basetype[type].min ||
-		    sval > (int64_t)basetype[type].max) {
-			errno = ERANGE;
-			return -1;
-		}
-		memcpy(out, &sval, basetype[type].len);
+		sval = strtoull(string, &endptr, base);
+		nft_get_value(type, &sval, out);
 		break;
+	default:
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (*endptr) {
+		errno = EINVAL;
+		return -1;
 	}
 
 	return 0;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 2/6] table : tests: test the table json parser support

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Test the functions for parsing tables in JSON Support

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 tests/Makefile.am             |    2 +-
 tests/jsonfiles/01-table.json |    1 +
 tests/jsonfiles/02-table.json |    1 +
 tests/nft-parsing-test.c      |   49 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 tests/jsonfiles/01-table.json
 create mode 100644 tests/jsonfiles/02-table.json

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6941c3c..cfa4e8e 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -3,4 +3,4 @@ include $(top_srcdir)/Make_global.am
 check_PROGRAMS = nft-parsing-test
 
 nft_parsing_test_SOURCES = nft-parsing-test.c
-nft_parsing_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS}
+nft_parsing_test_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS}
diff --git a/tests/jsonfiles/01-table.json b/tests/jsonfiles/01-table.json
new file mode 100644
index 0000000..ec496b9
--- /dev/null
+++ b/tests/jsonfiles/01-table.json
@@ -0,0 +1 @@
+{"table" : {"name" : "filter","version" : 0,"properties" : {"family" : "ip","table_flags" : 0}}}
diff --git a/tests/jsonfiles/02-table.json b/tests/jsonfiles/02-table.json
new file mode 100644
index 0000000..03f4d5a
--- /dev/null
+++ b/tests/jsonfiles/02-table.json
@@ -0,0 +1 @@
+{"table" : {"name" : "filter2","version" : 0,"properties" : {"family" : "ip6","table_flags" : 0}}}
diff --git a/tests/nft-parsing-test.c b/tests/nft-parsing-test.c
index 4fe60c3..83a627c 100644
--- a/tests/nft-parsing-test.c
+++ b/tests/nft-parsing-test.c
@@ -14,6 +14,47 @@
 #include <mxml.h>
 #endif
 
+#ifdef JSON_PARSING
+#include <jansson.h>
+#endif
+
+static int test_json(const char *filename)
+{
+#ifdef JSON_PARSING
+	int ret = -1;
+	struct nft_table *t = NULL;
+	json_t *root;
+	json_error_t error;
+	char *json = NULL;
+
+	root = json_load_file(filename, 0, &error);
+	if (!root) {
+		printf("Error on the line %d : %s", error.line, error.text);
+		return -1;
+	}
+
+	if (root == NULL)
+		return -1;
+
+	json = json_dumps(root, JSON_INDENT(0));
+
+	if (json_object_get(root, "table") != NULL) {
+		t = nft_table_alloc();
+		if (t != NULL) {
+			if (nft_table_parse(t, NFT_TABLE_PARSE_JSON, json) == 0)
+				ret = 0;
+
+			nft_table_free(t);
+		}
+	}
+
+	return ret;
+#else
+	errno = EOPNOTSUPP;
+	return -1;
+#endif
+}
+
 static int test_xml(const char *filename)
 {
 #ifdef XML_PARSING
@@ -104,6 +145,14 @@ int main(int argc, char *argv[])
 			else
 				printf("\033[32mOK\e[0m\n");
 		}
+		if (strcmp(&dent->d_name[len-5], ".json") == 0) {
+			printf("parsing %s: ", path);
+			if (test_json(path) < 0)
+				printf("\033[31mFAILED\e[0m (%s)\n",
+					strerror(errno));
+			else
+				printf("\033[32mOK\e[0m\n");
+		}
 	}
 
 	closedir(d);

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 3/6] examples: Add nft-table-json-add

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 examples/Makefile.am          |    4 +
 examples/nft-table-json-add.c |  116 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+)
 create mode 100644 examples/nft-table-json-add.c

diff --git a/examples/Makefile.am b/examples/Makefile.am
index bf28bae..722ce0b 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -2,6 +2,7 @@ include $(top_srcdir)/Make_global.am
 
 check_PROGRAMS = nft-table-add		\
 		 nft-table-xml-add	\
+		 nft-table-json-add	\
 		 nft-table-upd		\
 		 nft-table-del		\
 		 nft-table-get		\
@@ -29,6 +30,9 @@ nft_table_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 nft_table_xml_add_SOURCES = nft-table-xml-add.c
 nft_table_xml_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 
+nft_table_json_add_SOURCES = nft-table-json-add.c
+nft_table_json_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
+
 nft_table_upd_SOURCES = nft-table-upd.c
 nft_table_upd_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 
diff --git a/examples/nft-table-json-add.c b/examples/nft-table-json-add.c
new file mode 100644
index 0000000..5526c91
--- /dev/null
+++ b/examples/nft-table-json-add.c
@@ -0,0 +1,116 @@
+/*
+ * (C) 2013 by Álvaro Neira Ayuso <alvaroneay@gmail.com>
+ *
+ * Based on nft-table-xml-add from:
+ *
+ * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This code has been sponsored by Sophos Astaro <http://www.sophos.com>
+ */
+
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <linux/netfilter/nf_tables.h>
+
+#include <libmnl/libmnl.h>
+#include <libnftables/table.h>
+
+int main(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nft_table *t = NULL;
+	int ret, fd;
+	uint16_t family;
+	char json[4096];
+	char reprint[4096];
+
+	if (argc < 2) {
+		printf("Usage: %s <json-file>\n", argv[0]);
+		exit(EXIT_FAILURE);
+	}
+
+	fd = open(argv[1], O_RDONLY);
+	if (fd < 0) {
+		perror("open");
+		exit(EXIT_FAILURE);
+	}
+
+	if (read(fd, json, sizeof(json)) < 0) {
+		perror("read");
+		close(fd);
+		exit(EXIT_FAILURE);
+	}
+	close(fd);
+
+	t = nft_table_alloc();
+	if (t == NULL) {
+		perror("OOM");
+		exit(EXIT_FAILURE);
+	}
+
+	if (nft_table_parse(t, NFT_TABLE_PARSE_JSON, json) < 0) {
+		printf("E: Unable to parse JSON file: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	nft_table_snprintf(reprint, sizeof(reprint), t, NFT_TABLE_O_JSON, 0);
+	printf("Parsed:\n%s\n", reprint);
+
+	family = nft_table_attr_get_u32(t, NFT_TABLE_ATTR_FAMILY);
+
+	seq = time(NULL);
+
+	nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, family,
+					NLM_F_CREATE|NLM_F_ACK, seq);
+	nft_table_nlmsg_build_payload(nlh, t);
+	nft_table_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		perror("mnl_socket_open");
+		exit(EXIT_FAILURE);
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		perror("mnl_socket_bind");
+		exit(EXIT_FAILURE);
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		perror("error");
+		exit(EXIT_FAILURE);
+	}
+
+	mnl_socket_close(nl);
+
+	return EXIT_SUCCESS;
+}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 4/6] chain: json: add function for parsing chain

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Add function for parsing chains in format JSON

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 include/libnftables/chain.h |    1 
 src/chain.c                 |  138 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 139 insertions(+)

diff --git a/include/libnftables/chain.h b/include/libnftables/chain.h
index 382947f..53fd407 100644
--- a/include/libnftables/chain.h
+++ b/include/libnftables/chain.h
@@ -52,6 +52,7 @@ enum {
 enum nft_chain_parse_type {
 	NFT_CHAIN_PARSE_NONE	= 0,
 	NFT_CHAIN_PARSE_XML,
+	NFT_CHAIN_PARSE_JSON,
 	NFT_CHAIN_PARSE_MAX
 };
 
diff --git a/src/chain.c b/src/chain.c
index 1e07044..d9d41ee 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -468,6 +468,141 @@ int nft_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_chain *c)
 }
 EXPORT_SYMBOL(nft_chain_nlmsg_parse);
 
+static int str2policy(const char *policy)
+{
+	if (strcmp("accept", policy) == 0) {
+		return NF_ACCEPT;
+	} else if (strcmp("drop", policy) == 0) {
+		return NF_DROP;
+	} else {
+		return -1;
+	}
+}
+
+static int nft_chain_json_parse(struct nft_chain *c, char *json)
+{
+#ifdef JSON_PARSING
+	json_t *root;
+	json_error_t error;
+	uint64_t val64;
+	uint32_t hooknum;
+	int32_t prio;
+	const char *valstr;
+
+	/* Load the tree */
+	root = json_loadb (json, strlen(json), 0, &error);
+	if (!root) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	root = json_object_get(root, "chain");
+	if (root == NULL) {
+		errno = ERANGE;
+		return -1;
+	}
+
+	if (nft_jansson_value_parse_val(root, "version", NFT_TYPE_U64,
+					 &val64) == -1)
+		goto err;
+
+	if (val64 != NFT_CHAIN_JSON_VERSION)
+		goto err;
+
+	valstr = nft_jansson_value_parse_str(root, "name");
+	if (valstr == NULL)
+		goto err;
+
+	nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_NAME, strdup(valstr));
+
+	if (nft_jansson_value_parse_val(root, "handle", NFT_TYPE_U64,
+					 &val64) == -1)
+		goto err;
+
+	nft_chain_attr_set_u64(c,NFT_CHAIN_ATTR_HANDLE, val64);
+
+	if (nft_jansson_value_parse_val(root, "bytes", NFT_TYPE_U64,
+					 &val64) == -1)
+		goto err;
+
+	nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_BYTES, val64);
+
+	if (nft_jansson_value_parse_val(root, "packets", NFT_TYPE_U64,
+					 &val64) == -1)
+		goto err;
+
+	if (val64 < 0)
+		goto err;
+
+	nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_PACKETS, val64);
+
+	root = json_object_get(root, "properties");
+
+	valstr = nft_jansson_value_parse_str(root, "family");
+
+	if (valstr == NULL)
+		goto err;
+
+	if (nft_str2family(valstr) == -1)
+		goto err;
+
+	nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_FAMILY, nft_str2family(valstr));
+
+	valstr = nft_jansson_value_parse_str(root, "table");
+
+	if (valstr == NULL)
+		goto err;
+
+	nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_TABLE, strdup(valstr));
+
+	if (nft_jansson_node_exist(root, "hooknum")) {
+		valstr = nft_jansson_value_parse_str(root, "type");
+
+		if (valstr == NULL)
+			goto err;
+
+		nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_TYPE, strdup(valstr));
+
+		if (nft_jansson_value_parse_val(root, "prio", NFT_TYPE_S32,
+						 &prio) == -1)
+			goto err;
+
+		nft_chain_attr_set_s32(c, NFT_CHAIN_ATTR_PRIO, prio);
+
+		valstr = nft_jansson_value_parse_str(root, "hooknum");
+		for (hooknum = 0; hooknum < NF_INET_NUMHOOKS; hooknum++) {
+			if (strcmp(valstr, hooknum2str_array[hooknum]) == 0) {
+				nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_HOOKNUM,
+						       hooknum);
+				break;
+			}
+		}
+
+		valstr = nft_jansson_value_parse_str(root, "policy");
+
+		if (valstr == NULL)
+			goto err;
+
+		if (str2policy(valstr) == -1)
+			goto err;
+
+		nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_POLICY,
+				       str2policy(valstr));
+	}
+
+	free(root);
+	return 0;
+
+err:
+	free(root);
+	errno = ERANGE;
+	return -1;
+#else
+	errno = EOPNOTSUPP;
+	return -1;
+#endif
+}
+
 static int nft_chain_xml_parse(struct nft_chain *c, char *xml)
 {
 #ifdef XML_PARSING
@@ -661,6 +796,9 @@ int nft_chain_parse(struct nft_chain *c, enum nft_chain_parse_type type,
 	case NFT_CHAIN_PARSE_XML:
 		ret = nft_chain_xml_parse(c, data);
 		break;
+	case NFT_CHAIN_PARSE_JSON:
+		ret = nft_chain_json_parse(c, data);
+		break;
 	default:
 		ret = -1;
 		errno = EOPNOTSUPP;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 5/6] chain: test: test the chain parser support

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Test the functions for parsing chains in JSON Support

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 tests/jsonfiles/11-chain.json |    1 +
 tests/jsonfiles/12-chain.json |    1 +
 tests/jsonfiles/13-chain.json |    1 +
 tests/jsonfiles/14-chain.json |    1 +
 tests/nft-parsing-test.c      |    9 +++++++++
 5 files changed, 13 insertions(+)
 create mode 100644 tests/jsonfiles/11-chain.json
 create mode 100644 tests/jsonfiles/12-chain.json
 create mode 100644 tests/jsonfiles/13-chain.json
 create mode 100644 tests/jsonfiles/14-chain.json

diff --git a/tests/jsonfiles/11-chain.json b/tests/jsonfiles/11-chain.json
new file mode 100644
index 0000000..9b716f2
--- /dev/null
+++ b/tests/jsonfiles/11-chain.json
@@ -0,0 +1 @@
+{ "chain": {"name": "input","handle": 1,"bytes": 2238649,"packets": 14177,"version": 0,"properties": {"family": "ip","table": "filter","use": 0,"type": "filter","hooknum": "NF_INET_LOCAL_IN","prio": 0,"policy": "accept"}}}
diff --git a/tests/jsonfiles/12-chain.json b/tests/jsonfiles/12-chain.json
new file mode 100644
index 0000000..0af8588
--- /dev/null
+++ b/tests/jsonfiles/12-chain.json
@@ -0,0 +1 @@
+{ "chain": {"name": "forward","handle": 2,"bytes": 0,"packets": 0,"version": 0,"properties": {"family": "ip","table": "filter","use": 0,"type": "filter","hooknum": "NF_INET_FORWARD","prio": 0,"policy": "accept"}}}
diff --git a/tests/jsonfiles/13-chain.json b/tests/jsonfiles/13-chain.json
new file mode 100644
index 0000000..835fc2b
--- /dev/null
+++ b/tests/jsonfiles/13-chain.json
@@ -0,0 +1 @@
+{ "chain": {"name": "output","handle": 3,"bytes": 781933,"packets": 6506,"version": 0,"properties": {"family": "ip","table": "filter","use": 0,"type": "filter","hooknum": "NF_INET_LOCAL_OUT","prio": 0,"policy": "accept"}}}
diff --git a/tests/jsonfiles/14-chain.json b/tests/jsonfiles/14-chain.json
new file mode 100644
index 0000000..de3bc35
--- /dev/null
+++ b/tests/jsonfiles/14-chain.json
@@ -0,0 +1 @@
+{ "chain": {"name": "chain1","handle": 4,"bytes": 0,"packets": 0,"version": 0,"properties": {"family": "ip","table": "filter","use": 0}}}
diff --git a/tests/nft-parsing-test.c b/tests/nft-parsing-test.c
index 83a627c..777e2e0 100644
--- a/tests/nft-parsing-test.c
+++ b/tests/nft-parsing-test.c
@@ -23,6 +23,7 @@ static int test_json(const char *filename)
 #ifdef JSON_PARSING
 	int ret = -1;
 	struct nft_table *t = NULL;
+	struct nft_chain *c = NULL;
 	json_t *root;
 	json_error_t error;
 	char *json = NULL;
@@ -46,6 +47,14 @@ static int test_json(const char *filename)
 
 			nft_table_free(t);
 		}
+	}else if (json_object_get(root, "chain") != NULL) {
+		c = nft_chain_alloc();
+		if (c != NULL) {
+			if (nft_chain_parse(c, NFT_CHAIN_PARSE_JSON, json) == 0)
+				ret = 0;
+
+			nft_chain_free(c);
+		}
 	}
 
 	return ret;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 6/6] examples: Add nft-chain-json-add

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 examples/Makefile.am          |    4 +
 examples/nft-chain-json-add.c |  120 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
 create mode 100644 examples/nft-chain-json-add.c

diff --git a/examples/Makefile.am b/examples/Makefile.am
index 722ce0b..8d76f00 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -8,6 +8,7 @@ check_PROGRAMS = nft-table-add		\
 		 nft-table-get		\
 		 nft-chain-add		\
 		 nft-chain-xml-add	\
+		 nft-chain-json-add	\
 		 nft-chain-del		\
 		 nft-chain-get		\
 		 nft-rule-add		\
@@ -48,6 +49,9 @@ nft_chain_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 nft_chain_xml_add_SOURCES = nft-chain-xml-add.c
 nft_chain_xml_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 
+nft_chain_json_add_SOURCES = nft-chain-json-add.c
+nft_chain_json_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} ${LIBJSON_LIBS}
+
 nft_chain_del_SOURCES = nft-chain-del.c
 nft_chain_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 
diff --git a/examples/nft-chain-json-add.c b/examples/nft-chain-json-add.c
new file mode 100644
index 0000000..a46e7af
--- /dev/null
+++ b/examples/nft-chain-json-add.c
@@ -0,0 +1,120 @@
+/*
+ * (C) 2013 by Álvaro Neira Ayuso <alvaroneay@gmail.com>
+ *
+ * Based on nft-chain-xml-add from:
+ *
+ * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2013 by Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+
+#include <libmnl/libmnl.h>
+#include <libnftables/chain.h>
+#include <libnftables/rule.h>
+
+int main(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nft_chain *c = NULL;
+	int ret, fd;
+	uint16_t family;
+	char json[4096];
+	char reprint[4096];
+
+	if (argc < 2) {
+		printf("Usage: %s <json-file>\n", argv[0]);
+		exit(EXIT_FAILURE);
+	}
+
+	c = nft_chain_alloc();
+	if (c == NULL) {
+		perror("OOM");
+		exit(EXIT_FAILURE);
+	}
+
+	fd = open(argv[1], O_RDONLY);
+	if (fd < 0) {
+		perror("open");
+		exit(EXIT_FAILURE);
+	}
+
+	if (read(fd, json, sizeof(json)) < 0) {
+		perror("read");
+		close(fd);
+		exit(EXIT_FAILURE);
+	}
+
+	close(fd);
+
+	if (nft_chain_parse(c, NFT_CHAIN_PARSE_JSON, json) < 0) {
+		printf("E: Unable to parse JSON file: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	nft_chain_snprintf(reprint, sizeof(reprint), c, NFT_CHAIN_O_JSON, 0);
+	printf("Parsed:\n%s\n", reprint);
+
+	nft_chain_attr_unset(c, NFT_CHAIN_ATTR_HANDLE);
+	family = nft_chain_attr_get_u32(c, NFT_CHAIN_ATTR_FAMILY);
+
+	seq = time(NULL);
+	nlh = nft_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, family,
+					NLM_F_CREATE|NLM_F_ACK, seq);
+	nft_chain_nlmsg_build_payload(nlh, c);
+
+	nft_chain_free(c);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		perror("mnl_socket_open");
+		exit(EXIT_FAILURE);
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		perror("mnl_socket_bind");
+		exit(EXIT_FAILURE);
+	}
+
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+
+	}
+	if (ret == -1) {
+		perror("error");
+		exit(EXIT_FAILURE);
+	}
+
+
+	mnl_socket_close(nl);
+	return EXIT_SUCCESS;
+}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 1/6] table: json: Add Json parser support

[Pablo Neira Ayuso]

On Thu, Jul 25, 2013 at 10:52:15PM +0200, Alvaro Neira wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
> 
> Add function for parsing tables in format JSON

Applied, thanks Alvaro.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 2/6] table : tests: test the table json parser support

[Pablo Neira Ayuso]

On Thu, Jul 25, 2013 at 10:52:24PM +0200, Alvaro Neira wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
> 
> Test the functions for parsing tables in JSON Support

Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 3/6] examples: Add nft-table-json-add

[Pablo Neira Ayuso]

On Thu, Jul 25, 2013 at 10:52:32PM +0200, Alvaro Neira wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 4/6] chain: json: add function for parsing chain

[Pablo Neira Ayuso]

On Thu, Jul 25, 2013 at 10:52:39PM +0200, Alvaro Neira wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
> 
> Add function for parsing chains in format JSON
> 
> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
> ---
>  include/libnftables/chain.h |    1 
>  src/chain.c                 |  138 +++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 139 insertions(+)
> 
> diff --git a/include/libnftables/chain.h b/include/libnftables/chain.h
> index 382947f..53fd407 100644
> --- a/include/libnftables/chain.h
> +++ b/include/libnftables/chain.h
> @@ -52,6 +52,7 @@ enum {
>  enum nft_chain_parse_type {
>  	NFT_CHAIN_PARSE_NONE	= 0,
>  	NFT_CHAIN_PARSE_XML,
> +	NFT_CHAIN_PARSE_JSON,
>  	NFT_CHAIN_PARSE_MAX
>  };
>  
> diff --git a/src/chain.c b/src/chain.c
> index 1e07044..d9d41ee 100644
> --- a/src/chain.c
> +++ b/src/chain.c
> @@ -468,6 +468,141 @@ int nft_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_chain *c)
>  }
>  EXPORT_SYMBOL(nft_chain_nlmsg_parse);
>  
> +static int str2policy(const char *policy)
> +{
> +	if (strcmp("accept", policy) == 0) {
> +		return NF_ACCEPT;
> +	} else if (strcmp("drop", policy) == 0) {
> +		return NF_DROP;
> +	} else {
> +		return -1;
> +	}
> +}

Arturo just added nft_str2verdict, please use it.

> +
> +static int nft_chain_json_parse(struct nft_chain *c, char *json)
> +{
> +#ifdef JSON_PARSING
> +	json_t *root;
> +	json_error_t error;
> +	uint64_t val64;
> +	uint32_t hooknum;
> +	int32_t prio;
> +	const char *valstr;
> +
> +	/* Load the tree */
> +	root = json_loadb (json, strlen(json), 0, &error);
                         ^
no need for space there.

> +	if (!root) {

if (root == NULL)

for consistency with other code you sent.

> +		errno = EINVAL;
> +		return -1;
> +	}
> +
> +	root = json_object_get(root, "chain");
> +	if (root == NULL) {
> +		errno = ERANGE;
> +		return -1;
> +	}
> +
> +	if (nft_jansson_value_parse_val(root, "version", NFT_TYPE_U64,
> +					 &val64) == -1)
> +		goto err;
> +
> +	if (val64 != NFT_CHAIN_JSON_VERSION)
> +		goto err;
> +
> +	valstr = nft_jansson_value_parse_str(root, "name");
> +	if (valstr == NULL)
> +		goto err;

You have to change nft_jansson_value_parse_str to set errno
accordingly.

Then you return -1;

> +
> +	nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_NAME, strdup(valstr));
> +
> +	if (nft_jansson_value_parse_val(root, "handle", NFT_TYPE_U64,
> +					 &val64) == -1)
> +		goto err;
> +
> +	nft_chain_attr_set_u64(c,NFT_CHAIN_ATTR_HANDLE, val64);
> +
> +	if (nft_jansson_value_parse_val(root, "bytes", NFT_TYPE_U64,
> +					 &val64) == -1)
> +		goto err;
> +
> +	nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_BYTES, val64);
> +
> +	if (nft_jansson_value_parse_val(root, "packets", NFT_TYPE_U64,
> +					 &val64) == -1)
> +		goto err;
> +
> +	if (val64 < 0)

val64 is uint64_t, so it cannot be negative.

> +		goto err;
> +
> +	nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_PACKETS, val64);
> +
> +	root = json_object_get(root, "properties");
> +
> +	valstr = nft_jansson_value_parse_str(root, "family");
> +
> +	if (valstr == NULL)
> +		goto err;

                return -1;

instead. nft_jansson_value_parse_str should set errno accordingly.

> +
> +	if (nft_str2family(valstr) == -1)
> +		goto err;

                return -1;

nft_str2family already sets errno.

> +
> +	nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_FAMILY, nft_str2family(valstr));
> +
> +	valstr = nft_jansson_value_parse_str(root, "table");
> +
> +	if (valstr == NULL)
> +		goto err;
> +
> +	nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_TABLE, strdup(valstr));
> +
> +	if (nft_jansson_node_exist(root, "hooknum")) {
> +		valstr = nft_jansson_value_parse_str(root, "type");
> +
> +		if (valstr == NULL)
> +			goto err;
> +
> +		nft_chain_attr_set_str(c, NFT_CHAIN_ATTR_TYPE, strdup(valstr));
> +
> +		if (nft_jansson_value_parse_val(root, "prio", NFT_TYPE_S32,
> +						 &prio) == -1)
> +			goto err;
> +
> +		nft_chain_attr_set_s32(c, NFT_CHAIN_ATTR_PRIO, prio);
> +
> +		valstr = nft_jansson_value_parse_str(root, "hooknum");
> +		for (hooknum = 0; hooknum < NF_INET_NUMHOOKS; hooknum++) {
> +			if (strcmp(valstr, hooknum2str_array[hooknum]) == 0) {
> +				nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_HOOKNUM,
> +						       hooknum);
> +				break;
> +			}
> +		}
> +
> +		valstr = nft_jansson_value_parse_str(root, "policy");
> +
> +		if (valstr == NULL)
> +			goto err;
> +
> +		if (str2policy(valstr) == -1)
> +			goto err;
> +
> +		nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_POLICY,
> +				       str2policy(valstr));
> +	}
> +
> +	free(root);
> +	return 0;
> +
> +err:
> +	free(root);
> +	errno = ERANGE;

this should return EINVAL.

> +	return -1;
> +#else
> +	errno = EOPNOTSUPP;
> +	return -1;
> +#endif
> +}
> +
>  static int nft_chain_xml_parse(struct nft_chain *c, char *xml)
>  {
>  #ifdef XML_PARSING
> @@ -661,6 +796,9 @@ int nft_chain_parse(struct nft_chain *c, enum nft_chain_parse_type type,
>  	case NFT_CHAIN_PARSE_XML:
>  		ret = nft_chain_xml_parse(c, data);
>  		break;
> +	case NFT_CHAIN_PARSE_JSON:
> +		ret = nft_chain_json_parse(c, data);
> +		break;
>  	default:
>  		ret = -1;
>  		errno = EOPNOTSUPP;
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html