[libnftables PATCH 01/13] src: expr: missing commas in json output support

[libnftables PATCH 01/13] src: expr: missing commas in json output support

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Added missing commas in json output support

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/meta.c |    2 +-
 src/expr/nat.c  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/expr/meta.c b/src/expr/meta.c
index ac01732..8f163f6 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -208,7 +208,7 @@ nft_rule_expr_meta_snprintf(char *buf, size_t len, uint32_t type,
 				meta->dreg, meta_key2str(meta->key));
 	case NFT_RULE_O_JSON:
 		return snprintf(buf, len, "\"dreg\" : %u, "
-					  "\"key\" : %s",
+					  "\"key\" : \"%s\"",
 				meta->dreg, meta_key2str(meta->key));
 	default:
 		break;
diff --git a/src/expr/nat.c b/src/expr/nat.c
index 4b7ec27..654d4d7 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -262,7 +262,7 @@ nft_rule_expr_nat_snprintf_json(char *buf, size_t size,
 	if (nat->type == NFT_NAT_SNAT)
 		ret = snprintf(buf, len, "\"nat_type\" : \"snat\", ");
 	else if (nat->type == NFT_NAT_DNAT)
-		ret = snprintf(buf, len, "\nat_type\" : \"dnat\", ");
+		ret = snprintf(buf, len, "\"nat_type\" : \"dnat\", ");
 
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 02/13] src: expr: missing curly braces in json output support

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Added missing curly braces in json output support

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/bitwise.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index f0a2eff..edc5a39 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -242,21 +242,21 @@ nft_rule_expr_bitwise_snprintf_json(char *buf, size_t size,
 		       bitwise->sreg, bitwise->dreg);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	ret = snprintf(buf+offset, len, "\"mask\" : ");
+	ret = snprintf(buf+offset, len, "\"mask\" : {");
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
 	ret = nft_data_reg_snprintf(buf+offset, len, &bitwise->mask,
 				    NFT_RULE_O_JSON, 0, DATA_VALUE);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	ret = snprintf(buf+offset, len, ", \"xor\" : ");
+	ret = snprintf(buf+offset, len, "}, \"xor\" : {");
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
 	ret = nft_data_reg_snprintf(buf+offset, len, &bitwise->xor,
 				    NFT_RULE_O_JSON, 0, DATA_VALUE);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	ret = snprintf(buf+offset, len, "\"");
+	ret = snprintf(buf+offset, len, "}");
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
 	return offset;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 03/13] src: expr: change wrong value in data_reg

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Changed wrong value in data_reg_chain snprintf

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/data_reg.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index fceec5a..825e474 100644
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -359,8 +359,8 @@ int nft_data_reg_snprintf(char *buf, size_t size, union nft_data_reg *reg,
 		case NFT_RULE_O_JSON:
 			return snprintf(buf, size,
 					"\"data_reg\": { \"type\" : \"chain\", "
-						"\"chain\" : %d"
-					"}", reg->verdict);
+						"\"chain\" : \"%s\""
+					"}", reg->chain);
 		default:
 			break;
 		}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 04/13] src: fix display of compat_flag and compat_proto

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Fixed display compat_proto value and compat_flag if available

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/rule.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/rule.c b/src/rule.c
index 9d6a996..41534bd 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -633,9 +633,10 @@ static int nft_rule_snprintf_json(char *buf, size_t size, struct nft_rule *r,
 					r->rule_flags);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	if(NFT_RULE_ATTR_COMPAT_PROTO != 0 || NFT_RULE_ATTR_COMPAT_FLAGS != 0){
+	if (r->flags & (1 << NFT_RULE_ATTR_COMPAT_PROTO) ||
+	    r->flags & (1 << NFT_RULE_ATTR_COMPAT_FLAGS)) {
 		ret = snprintf(buf+offset,len,"\"compat_flags\" : %u, "
-									  "\"compat_proto\" : %u, ",
+					      "\"compat_proto\" : %u, ",
 					r->compat.flags, r->compat.proto);
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 05/13] expr: ct: optional output in ct

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Display direction and key if available

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/ct.c |   29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/expr/ct.c b/src/expr/ct.c
index 99448c6..f86fd4d 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -226,6 +226,30 @@ err:
 }
 
 static int
+nft_expr_ct_snprintf_json(char *buf, size_t size, struct nft_rule_expr *e)
+{
+	int ret, len = size, offset = 0;
+	struct nft_expr_ct *ct = nft_expr_data(e);
+
+	ret = snprintf(buf, size, "\"dreg\" : %u", ct->dreg);
+	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+
+	if (e->flags & (1 << NFT_EXPR_CT_KEY)) {
+		ret = snprintf(buf+offset, size, ", \"key\" : \"%s\"",
+						ctkey2str(ct->key));
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	}
+
+	if (e->flags & (1 << NFT_EXPR_CT_DIR)) {
+		ret = snprintf(buf+offset, size, ", \"dir\" : %u", ct->dir);
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	}
+
+	return offset;
+
+}
+
+static int
 nft_rule_expr_ct_snprintf(char *buf, size_t len, uint32_t type,
 			    uint32_t flags, struct nft_rule_expr *e)
 {
@@ -241,10 +265,7 @@ nft_rule_expr_ct_snprintf(char *buf, size_t len, uint32_t type,
 					  "<dir>%u</dir>",
 				ct->dreg, ctkey2str(ct->key), ct->dir);
 	case NFT_RULE_O_JSON:
-		return snprintf(buf, len, "\"dreg\" : %u, "
-					  "\"key\" : \"%s\", "
-					  "\"dir\" : %u",
-				ct->dreg, ctkey2str(ct->key), ct->dir);
+		return nft_expr_ct_snprintf_json(buf, len, e);
 	default:
 		break;
 	}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 06/13] json: bitwise: add missing node len

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

I have added the len node in bitwise which was missing

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/bitwise.c  |    5 +++--
 src/expr/data_reg.c |    4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index edc5a39..6c86acb 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -238,8 +238,9 @@ nft_rule_expr_bitwise_snprintf_json(char *buf, size_t size,
 	int len = size, offset = 0, ret;
 
 	ret = snprintf(buf, len, "\"sreg\" : %u, "
-				"\"dreg\" : %u, ",
-		       bitwise->sreg, bitwise->dreg);
+				"\"dreg\" : %u, "
+				"\"len\" : %u, ",
+		       bitwise->sreg, bitwise->dreg, bitwise->len);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
 	ret = snprintf(buf+offset, len, "\"mask\" : {");
diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index 825e474..4c354ef 100644
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -250,10 +250,10 @@ nft_data_reg_value_snprintf_json(char *buf, size_t size,
 			SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 		}
 
-		ret = snprintf(buf+offset, len, "\"");
+		ret = snprintf(buf+offset, len, "\", ");
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}
-
+	offset -= 2;
 	ret = snprintf(buf+offset, len, "}");
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 07/13] src: json: delete unneeded JSON prefixes

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

This patch changes some JSON nodes with prefixes like XML nodes

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/rule.c                    |    2 +-
 src/set_elem.c                |    6 +++---
 src/table.c                   |    4 ++--
 tests/jsonfiles/01-table.json |    2 +-
 tests/jsonfiles/02-table.json |    2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/rule.c b/src/rule.c
index 41534bd..8a86f54 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -629,7 +629,7 @@ static int nft_rule_snprintf_json(char *buf, size_t size, struct nft_rule *r,
 				(unsigned long long)r->handle);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	ret = snprintf(buf+offset, len, "\"rule_flags\" : %u, ",
+	ret = snprintf(buf+offset, len, "\"flags\" : %u, ",
 					r->rule_flags);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
diff --git a/src/set_elem.c b/src/set_elem.c
index 73c100f..c3ac1da 100644
--- a/src/set_elem.c
+++ b/src/set_elem.c
@@ -469,10 +469,10 @@ static int nft_set_elem_snprintf_json(char *buf, size_t size,
 {
 	int ret, len = size, offset = 0, type = -1;
 
-	ret = snprintf(buf, size, "\"set_elem_flags\": %u", e->set_elem_flags);
+	ret = snprintf(buf, size, "\"flags\": %u", e->set_elem_flags);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	ret = snprintf(buf+offset, size, ",\"set_elem_key\": {");
+	ret = snprintf(buf+offset, size, ",\"key\": {");
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
 	ret = nft_data_reg_snprintf(buf+offset, len, &e->key,
@@ -490,7 +490,7 @@ static int nft_set_elem_snprintf_json(char *buf, size_t size,
 		type = DATA_VERDICT;
 
 	if (type != -1) {
-		ret = snprintf(buf+offset, size, ",\"set_elem_data\": {");
+		ret = snprintf(buf+offset, size, ",\"data\": {");
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
 		ret = nft_data_reg_snprintf(buf+offset, len, &e->data,
diff --git a/src/table.c b/src/table.c
index 85993eb..18d9077 100644
--- a/src/table.c
+++ b/src/table.c
@@ -295,7 +295,7 @@ static int nft_table_json_parse(struct nft_table *t, char *json)
 
 	nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FAMILY, family);
 
-	if (nft_jansson_value_parse_val(root, "table_flags",
+	if (nft_jansson_value_parse_val(root, "flags",
 					NFT_TYPE_U32, &table_flag) == -1)
 		goto err;
 
@@ -340,7 +340,7 @@ static int nft_table_snprintf_json(char *buf, size_t size, struct nft_table *t)
 			"{\"table\" : {"
 			"\"name\" : \"%s\","
 			"\"family\" : \"%s\","
-			"\"table_flags\" : %d"
+			"\"flags\" : %d"
 			"}"
 			"}" ,
 			t->name, nft_family2str(t->family), t->table_flags);
diff --git a/tests/jsonfiles/01-table.json b/tests/jsonfiles/01-table.json
index a5ba38b..b4fc91b 100644
--- a/tests/jsonfiles/01-table.json
+++ b/tests/jsonfiles/01-table.json
@@ -1 +1 @@
-{"table" : {"name" : "filter","family" : "ip","table_flags" : 0}}
+{"table" : {"name" : "filter","family" : "ip","flags" : 0}}
diff --git a/tests/jsonfiles/02-table.json b/tests/jsonfiles/02-table.json
index f1171a1..01eff74 100644
--- a/tests/jsonfiles/02-table.json
+++ b/tests/jsonfiles/02-table.json
@@ -1 +1 @@
-{"table" : {"name" : "filter2","family" : "ip6","table_flags" : 0}}
+{"table" : {"name" : "filter2","family" : "ip6","flags" : 0}}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 08/13] expr: bytecode: add nft_str2ntoh function

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Add function that will be use in the JSON parser

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/byteorder.c |   25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c
index 79ba439..c6c4b91 100644
--- a/src/expr/byteorder.c
+++ b/src/expr/byteorder.c
@@ -181,13 +181,25 @@ static char *expr_byteorder_str[] = {
 	[NFT_BYTEORDER_NTOH] = "ntoh",
 };
 
+static inline int nft_str2ntoh(const char *op)
+{
+	if (strcmp(op, "ntoh") == 0)
+		return NFT_BYTEORDER_NTOH;
+	else if (strcmp(op, "hton") == 0)
+		return NFT_BYTEORDER_HTON;
+	else {
+		errno = EINVAL;
+		return -1;
+	}
+}
+
 static int
 nft_rule_expr_byteorder_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
 {
 #ifdef XML_PARSING
 	struct nft_expr_byteorder *byteorder = nft_expr_data(e);
 	const char *op;
-	int32_t reg;
+	int32_t reg, ntoh;
 
 	reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND_FIRST);
 	if (reg < 0)
@@ -207,15 +219,12 @@ nft_rule_expr_byteorder_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
 	if (op == NULL)
 		return -1;
 
-	if (strcmp(op, "ntoh") == 0)
-		byteorder->op = NFT_BYTEORDER_NTOH;
-	else if (strcmp(op, "hton") == 0)
-		byteorder->op = NFT_BYTEORDER_HTON;
-	else {
-		errno = EINVAL;
+	ntoh = nft_str2ntoh(op);
+
+	if (ntoh < 0)
 		return -1;
-	}
 
+	byteorder->op = ntoh;
 	e->flags |= (1 << NFT_EXPR_BYTEORDER_OP);
 
 	if (nft_mxml_num_parse(tree, "len", MXML_DESCEND_FIRST, BASE_DEC,

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 09/13] expr: cmp: add nft_str2cmp function

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Add function that will be use in the JSON parser

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/cmp.c |   38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index 291ebcd..8ca4cb5 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -154,12 +154,32 @@ static char *expr_cmp_str[] = {
 	[NFT_CMP_GTE]	= "gte",
 };
 
+static inline int nft_str2cmp(const char *op)
+{
+	if (strcmp(op, "eq") == 0)
+		return NFT_CMP_EQ;
+	else if (strcmp(op, "neq") == 0)
+		return NFT_CMP_NEQ;
+	else if (strcmp(op, "lt") == 0)
+		return NFT_CMP_LT;
+	else if (strcmp(op, "lte") == 0)
+		return NFT_CMP_LTE;
+	else if (strcmp(op, "gt") == 0)
+		return NFT_CMP_GT;
+	else if (strcmp(op, "gte") == 0)
+		return NFT_CMP_GTE;
+	else {
+		errno = EINVAL;
+		return -1;
+	}
+}
+
 static int nft_rule_expr_cmp_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
 {
 #ifdef XML_PARSING
 	struct nft_expr_cmp *cmp = nft_expr_data(e);
 	const char *op;
-	int32_t reg;
+	int32_t reg, op_value;
 
 	reg = nft_mxml_reg_parse(tree, "sreg", MXML_DESCEND_FIRST);
 	if (reg < 0)
@@ -172,21 +192,11 @@ static int nft_rule_expr_cmp_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre
 	if (op == NULL)
 		return -1;
 
-	if (strcmp(op, "eq") == 0)
-		cmp->op = NFT_CMP_EQ;
-	else if (strcmp(op, "neq") == 0)
-		cmp->op = NFT_CMP_NEQ;
-	else if (strcmp(op, "lt") == 0)
-		cmp->op = NFT_CMP_LT;
-	else if (strcmp(op, "lte") == 0)
-		cmp->op = NFT_CMP_LTE;
-	else if (strcmp(op, "gt") == 0)
-		cmp->op = NFT_CMP_GT;
-	else if (strcmp(op, "gte") == 0)
-		cmp->op = NFT_CMP_GTE;
-	else
+	op_value = nft_str2cmp(op);
+	if (op_value < 0)
 		return -1;
 
+	cmp->op = op_value;
 	e->flags |= (1 << NFT_EXPR_CMP_OP);
 
 	if (nft_mxml_data_reg_parse(tree, "cmpdata",

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 10/13] expr: nat: add nft_str2nat function

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Add function that will be use in the JSON parser

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/nat.c |   27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/expr/nat.c b/src/expr/nat.c
index 654d4d7..c81dc7f 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -15,6 +15,7 @@
 #include <stdio.h>
 #include <stdint.h>
 #include <limits.h>
+#include <string.h>
 #include <errno.h>
 #include <arpa/inet.h>
 #include <libmnl/libmnl.h>
@@ -183,6 +184,17 @@ nft_rule_expr_nat_build(struct nlmsghdr *nlh, struct nft_rule_expr *e)
 				 htonl(nat->sreg_proto_max));
 }
 
+static inline int nft_str2nat(const char *nat)
+{
+	if (strcmp(nat, "snat") == 0)
+		return NFT_NAT_SNAT;
+	else if (strcmp(nat, "dnat") == 0)
+		return NFT_NAT_DNAT;
+	else {
+		errno = EINVAL;
+		return -1;
+	}
+}
 
 static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
 {
@@ -190,19 +202,17 @@ static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre
 	struct nft_expr_nat *nat = nft_expr_data(e);
 	const char *nat_type;
 	int32_t reg;
-	int family;
+	int family, nat_type_value;
 
 	nat_type = nft_mxml_str_parse(tree, "nat_type", MXML_DESCEND_FIRST);
 	if (nat_type == NULL)
 		return -1;
 
-	if (strcmp(nat_type, "snat") == 0) {
-		nat->type = NFT_NAT_SNAT;
-	} else if (strcmp(nat_type, "dnat") == 0) {
-		nat->type = NFT_NAT_DNAT;
-	} else
-		goto err;
+	nat_type_value = nft_str2nat(nat_type);
+	if (nat_type_value < 0)
+		return -1;
 
+	nat->type = nat_type_value;
 	e->flags |= (1 << NFT_EXPR_NAT_TYPE);
 
 	family = nft_mxml_family_parse(tree, "family", MXML_DESCEND_FIRST);
@@ -243,9 +253,6 @@ static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre
 	e->flags |= (1 << NFT_EXPR_NAT_REG_PROTO_MAX);
 
 	return 0;
-err:
-	errno = EINVAL;
-	return -1;
 #else
 	errno = EOPNOTSUPP;
 	return -1;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 11/13] expr: payload: add nft_str2base function

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Add function that will be use in the JSON parser

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/expr/payload.c |   32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/src/expr/payload.c b/src/expr/payload.c
index 34aee90..e32ae1b 100644
--- a/src/expr/payload.c
+++ b/src/expr/payload.c
@@ -13,6 +13,7 @@
 
 #include <stdio.h>
 #include <stdint.h>
+#include <string.h>
 #include <limits.h>
 #include <arpa/inet.h>
 #include <errno.h>
@@ -178,13 +179,27 @@ nft_rule_expr_payload_snprintf_json(char *buf, size_t len, uint32_t flags,
 	return offset;
 }
 
+static inline int nft_str2base(const char *base)
+{
+	if (strcmp(base, "link") == 0)
+		return NFT_PAYLOAD_LL_HEADER;
+	else if (strcmp(base, "network") == 0)
+		return NFT_PAYLOAD_NETWORK_HEADER;
+	else if (strcmp(base, "transport") == 0)
+		return NFT_PAYLOAD_TRANSPORT_HEADER;
+	else {
+		errno = EINVAL;
+		return -1;
+	}
+}
+
 static int
 nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
 {
 #ifdef XML_PARSING
 	struct nft_expr_payload *payload = nft_expr_data(e);
 	const char *base_str;
-	int32_t reg;
+	int32_t reg, base;
 
 	reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND_FIRST);
 	if (reg < 0)
@@ -197,14 +212,10 @@ nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
 	if (base_str == NULL)
 		return -1;
 
-	if (strcmp(base_str, "link") == 0)
-		payload->base = NFT_PAYLOAD_LL_HEADER;
-	else if (strcmp(base_str, "network") == 0)
-		payload->base = NFT_PAYLOAD_NETWORK_HEADER;
-	else if (strcmp(base_str, "transport") == 0)
-		payload->base = NFT_PAYLOAD_TRANSPORT_HEADER;
-	else
-		goto err;
+	base = nft_str2base(base_str);
+
+	if (base < 0)
+		return -1;
 
 	e->flags |= (1 << NFT_EXPR_PAYLOAD_BASE);
 
@@ -220,9 +231,6 @@ nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
 
 	e->flags |= (1 << NFT_EXPR_PAYLOAD_LEN);
 	return 0;
-err:
-	errno = EINVAL;
-	return -1;
 #else
 	errno = EOPNOTSUPP;
 	return -1;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 12/13] example: nft-rule-get: family parameter added

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

I have added the parameter family in the example nft-rule-get.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 examples/nft-rule-get.c |   29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/examples/nft-rule-get.c b/examples/nft-rule-get.c
index 2404f27..e78a5cf 100644
--- a/examples/nft-rule-get.c
+++ b/examples/nft-rule-get.c
@@ -14,6 +14,7 @@
 #include <string.h>
 #include <netinet/in.h>
 
+#include <linux/netfilter.h>
 #include <linux/netfilter/nf_tables.h>
 
 #include <libmnl/libmnl.h>
@@ -52,13 +53,31 @@ int main(int argc, char *argv[])
 	struct nlmsghdr *nlh;
 	uint32_t portid, seq, type = NFT_RULE_O_DEFAULT;
 	struct nft_rule *t = NULL;
-	int ret;
+	int ret, family;
 
-	if (argc == 2 && strcmp(argv[1], "xml") == 0 ){
+	if (argc < 2 || argc > 3) {
+		fprintf(stderr, "Usage: %s <family> [xml|json]\n",
+			argv[0]);
+		exit(EXIT_FAILURE);
+	}
+
+	if (strcmp(argv[1], "ip") == 0)
+		family = NFPROTO_IPV4;
+	else if (strcmp(argv[1], "ip6") == 0)
+		family = NFPROTO_IPV6;
+	else if (strcmp(argv[1], "bridge") == 0)
+		family = NFPROTO_BRIDGE;
+	else if (strcmp(argv[1], "arp") == 0)
+		family = NFPROTO_ARP;
+	else {
+		fprintf(stderr, "Unknown family: ip, ip6, bridge, arp\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (argc == 3 && strcmp(argv[2], "xml") == 0 )
 		type = NFT_RULE_O_XML;
-	}else if (argc == 2 && strcmp(argv[1], "json") == 0 ){
+	else if (argc == 3 && strcmp(argv[2], "json") == 0 )
 		type = NFT_RULE_O_JSON;
-	}
 
 	/* XXX requires table, chain and handle attributes for selective get */
 
@@ -69,7 +88,7 @@ int main(int argc, char *argv[])
 	}
 
 	seq = time(NULL);
-	nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, AF_INET,
+	nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family,
 					NLM_F_DUMP, seq);
 
 	nl = mnl_socket_open(NETLINK_NETFILTER);

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 13/13] jansson: Add nft_jansson_family function

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Refactor some existing code with the new function nft_jansson_family

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/chain.c    |   10 ++--------
 src/internal.h |    1 +
 src/jansson.c  |   18 ++++++++++++++++++
 src/table.c    |    9 ++-------
 4 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/src/chain.c b/src/chain.c
index e2e6f90..a6d99ca 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -517,14 +517,8 @@ static int nft_chain_json_parse(struct nft_chain *c, char *json)
 
 	nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_PACKETS, uval64);
 
-	valstr = nft_jansson_value_parse_str(root, "family");
-
-	if (valstr == NULL)
-		goto err;
-
-	val32 = nft_str2family(valstr);
-	if (val32 == -1)
-		goto err;
+	if (nft_jansson_parse_family(root, &val32) != 0)
+		return -1;
 
 	nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_FAMILY, val32);
 
diff --git a/src/internal.h b/src/internal.h
index 17d1286..62eb3c5 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -49,6 +49,7 @@ int nft_jansson_value_parse_val(json_t *root, const char *tag,
 const char *nft_jansson_value_parse_str(json_t *root, const char *tag);
 bool nft_jansson_node_exist(json_t *root, const char *tag);
 json_t *nft_jansson_get_root(char *json, const char *tag, json_error_t *err);
+int nft_jansson_parse_family(json_t *root, void *out);
 #endif
 
 const char *nft_family2str(uint32_t family);
diff --git a/src/jansson.c b/src/jansson.c
index 4c778d9..cc3ab23 100644
--- a/src/jansson.c
+++ b/src/jansson.c
@@ -90,4 +90,22 @@ json_t *nft_jansson_get_root(char *json, const char *tag, json_error_t *err)
 
 	return root;
 }
+int nft_jansson_parse_family(json_t *root, void *out)
+{
+	const char *str;
+	int family;
+
+	str = nft_jansson_value_parse_str(root, "family");
+	if (str == NULL)
+		return -1;
+
+	family = nft_str2family(str);
+	if (family < 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	memcpy(out, &family, sizeof(family));
+	return 0;
+}
 #endif
diff --git a/src/table.c b/src/table.c
index 18d9077..1fa0dac 100644
--- a/src/table.c
+++ b/src/table.c
@@ -285,13 +285,8 @@ static int nft_table_json_parse(struct nft_table *t, char *json)
 
 	nft_table_attr_set_str(t, NFT_TABLE_ATTR_NAME, strdup(str));
 
-	str = nft_jansson_value_parse_str(root, "family");
-	if (str == NULL)
-		goto err;
-
-	family = nft_str2family(str);
-	if (family < 0)
-		goto err;
+	if (nft_jansson_parse_family(root, &family) != 0)
+		return -1;
 
 	nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FAMILY, family);
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 11/13] expr: payload: add nft_str2base function

[Arturo Borrero Gonzalez]

On 9 August 2013 13:14, Alvaro Neira <alvaroneay@gmail.com> wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
>
> Add function that will be use in the JSON parser
>
> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
> ---
>  src/expr/payload.c |   32 ++++++++++++++++++++------------
>  1 file changed, 20 insertions(+), 12 deletions(-)
>
> diff --git a/src/expr/payload.c b/src/expr/payload.c
> index 34aee90..e32ae1b 100644
> --- a/src/expr/payload.c
> +++ b/src/expr/payload.c
> @@ -13,6 +13,7 @@
>
>  #include <stdio.h>
>  #include <stdint.h>
> +#include <string.h>
>  #include <limits.h>
>  #include <arpa/inet.h>
>  #include <errno.h>
> @@ -178,13 +179,27 @@ nft_rule_expr_payload_snprintf_json(char *buf, size_t len, uint32_t flags,
>         return offset;
>  }
>
> +static inline int nft_str2base(const char *base)
> +{
> +       if (strcmp(base, "link") == 0)
> +               return NFT_PAYLOAD_LL_HEADER;
> +       else if (strcmp(base, "network") == 0)
> +               return NFT_PAYLOAD_NETWORK_HEADER;
> +       else if (strcmp(base, "transport") == 0)
> +               return NFT_PAYLOAD_TRANSPORT_HEADER;
> +       else {
> +               errno = EINVAL;
> +               return -1;
> +       }
> +}
> +
>  static int
>  nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
>  {
>  #ifdef XML_PARSING
>         struct nft_expr_payload *payload = nft_expr_data(e);
>         const char *base_str;
> -       int32_t reg;
> +       int32_t reg, base;
>
>         reg = nft_mxml_reg_parse(tree, "dreg", MXML_DESCEND_FIRST);
>         if (reg < 0)
> @@ -197,14 +212,10 @@ nft_rule_expr_payload_xml_parse(struct nft_rule_expr *e, mxml_node_t *tree)
>         if (base_str == NULL)
>                 return -1;
>
> -       if (strcmp(base_str, "link") == 0)
> -               payload->base = NFT_PAYLOAD_LL_HEADER;
> -       else if (strcmp(base_str, "network") == 0)
> -               payload->base = NFT_PAYLOAD_NETWORK_HEADER;
> -       else if (strcmp(base_str, "transport") == 0)
> -               payload->base = NFT_PAYLOAD_TRANSPORT_HEADER;
> -       else
> -               goto err;
> +       base = nft_str2base(base_str);
> +
> +       if (base < 0)
> +               return -1;

I think we need this:

payload->base = base;

Also, maybe goto err in case of base < 0

-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 11/13] expr: payload: add nft_str2base function

[Arturo Borrero Gonzalez]

On 9 August 2013 13:14, Alvaro Neira <alvaroneay@gmail.com> wrote:
> -err:
> -       errno = EINVAL;
> -       return -1;

not going to err anymore, obviously
-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 11/13] expr: payload: add nft_str2base function

[Pablo Neira Ayuso]

On Fri, Aug 09, 2013 at 01:31:35PM +0200, Arturo Borrero Gonzalez wrote:
> >         if (base_str == NULL)
> >                 return -1;
> >
> > -       if (strcmp(base_str, "link") == 0)
> > -               payload->base = NFT_PAYLOAD_LL_HEADER;
> > -       else if (strcmp(base_str, "network") == 0)
> > -               payload->base = NFT_PAYLOAD_NETWORK_HEADER;
> > -       else if (strcmp(base_str, "transport") == 0)
> > -               payload->base = NFT_PAYLOAD_TRANSPORT_HEADER;
> > -       else
> > -               goto err;
> > +       base = nft_str2base(base_str);
> > +
> > +       if (base < 0)
> > +               return -1;
> 
> I think we need this:
> 
> payload->base = base;

Good catch, I'm going to manually fix this. Thanks for reviewing.

> Also, maybe goto err in case of base < 0

errno is already set from the new function.

Re: [libnftables PATCH 01/13] src: expr: missing commas in json output support

[Pablo Neira Ayuso]

Applied this fixes with minor glitches, thanks Alvaro.