[libnftables PATCH 1/2] set: json: fix incomplete output

[libnftables PATCH 1/2] set: json: fix incomplete output

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

In (bf39c53 set: add json output), the json support for sets was
incomplete:

* version, family, key_type, key_len, data_type, data_len were not included.
* Now I use nft_data_reg_snprintf for printing the key and data

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/internal.h |    1 +
 src/set.c      |   23 +++++++++++++++++------
 src/set_elem.c |   50 ++++++++++++++++++++++++++++----------------------
 3 files changed, 46 insertions(+), 28 deletions(-)

diff --git a/src/internal.h b/src/internal.h
index 803dcc4..b3cdb76 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -28,6 +28,7 @@ int nft_mxml_data_reg_parse(mxml_node_t *tree, const char *node_name, union nft_
 #define NFT_TABLE_JSON_VERSION 0
 #define NFT_CHAIN_JSON_VERSION 0
 #define NFT_RULE_JSON_VERSION 0
+#define NFT_SET_JSON_VERSION 0
 
 const char *nft_family2str(uint32_t family);
 int nft_str2family(const char *family);
diff --git a/src/set.c b/src/set.c
index dc3bd27..343e27c 100644
--- a/src/set.c
+++ b/src/set.c
@@ -317,16 +317,27 @@ int nft_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s)
 EXPORT_SYMBOL(nft_set_nlmsg_parse);
 
 static int nft_set_snprintf_json(char *buf, size_t size, struct nft_set *s,
-			   uint32_t type, uint32_t flags)
+				  uint32_t type, uint32_t flags)
 {
-	int ret;
-	int len = size, offset = 0;
+	int len = size, offset = 0, ret;
 	struct nft_set_elem *elem;
 
-	ret = snprintf(buf, size, "{ \"set\" : { \"name\" : \"%s\", \"table\" : \"%s\", \"flags\" : %u",
-			s->name, s->table, s->set_flags);
+	ret = snprintf(buf, size, "{ \"set\": { \"name\": \"%s\","
+				  "\"table\": \"%s\",\"version\": %d,"
+				  "\"flags\": %u,\"family\": \"%s\","
+				  "\"key_type\": %u,\"key_len\": %u",
+			s->name, s->table, NFT_SET_JSON_VERSION, s->set_flags,
+			nft_family2str(s->family), s->key_type, s->key_len);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
+	if(s->flags & (1 << NFT_SET_ATTR_DATA_TYPE) &&
+	   s->flags & (1 << NFT_SET_ATTR_DATA_LEN)){
+		ret = snprintf(buf+offset, size,
+				  ",\"data_type\": %u,\"data_len\": %u",
+			s->data_type, s->data_len);
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	}
+
 	/* Empty set? Skip printinf of elements */
 	if (list_empty(&s->element_list)){
 		ret = snprintf(buf+offset, size, "}}");
@@ -334,7 +345,7 @@ static int nft_set_snprintf_json(char *buf, size_t size, struct nft_set *s,
 		return offset;
 	}
 
-	ret = snprintf(buf+offset, size, ", \"set_elem\" : [");
+	ret = snprintf(buf+offset, size, ",\"set_elem\": [");
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
 	list_for_each_entry(elem, &s->element_list, head) {
diff --git a/src/set_elem.c b/src/set_elem.c
index 3966cd6..eeab726 100644
--- a/src/set_elem.c
+++ b/src/set_elem.c
@@ -385,34 +385,40 @@ int nft_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s)
 }
 EXPORT_SYMBOL(nft_set_elems_nlmsg_parse);
 
-static int nft_set_elem_snprintf_json(char *buf, size_t size, struct nft_set_elem *e)
+static int nft_set_elem_snprintf_json(char *buf, size_t size,
+				       struct nft_set_elem *e, uint32_t flags)
 {
-	int ret, len = size, offset = 0, i, numregs;
+	int ret, len = size, offset = 0, type = -1;
 
-	ret = snprintf(buf, size, "\"flags\" : %u", e->set_elem_flags);
+	ret = snprintf(buf, size, "\"set_elem_flags\": %u", e->set_elem_flags);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	numregs = div_round_up(e->key.len, sizeof(uint32_t));
-	if (numregs != 0) {
-		ret = snprintf(buf+offset, len, ", \"key\" : \"0x");
-		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-		for (i = 0; i < numregs; i++) {
-			ret = snprintf(buf+offset, len, "%.8x", e->key.val[i]);
-			SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-		}
-		ret = snprintf(buf+offset, len, "\"");
-		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-	}
+	ret = snprintf(buf+offset, size, ",\"set_elem_key\": {");
+	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+
+	ret = nft_data_reg_snprintf(buf+offset, len, &e->key,
+				    NFT_RULE_O_JSON, flags, DATA_VALUE);
+	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+
+	ret = snprintf(buf+offset, size, "}");
+	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+
+	if (e->flags & (1 << NFT_SET_ELEM_ATTR_DATA))
+		type = DATA_VALUE;
+	else if (e->flags & (1 << NFT_SET_ELEM_ATTR_CHAIN))
+		type = DATA_CHAIN;
+	else if (e->flags & (1 << NFT_SET_ELEM_ATTR_VERDICT))
+		type = DATA_VERDICT;
 
-	numregs = div_round_up(e->data.len, sizeof(uint32_t));
-	if (numregs != 0) {
-		ret = snprintf(buf+offset, size, " ,\"data\" : \"0x");
+	if (type != -1) {
+		ret = snprintf(buf+offset, size, ",\"set_elem_data\": {");
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-		for (i = 0; i < numregs; i++) {
-			ret = snprintf(buf+offset, len, "%.8x", e->data.val[i]);
+
+		ret = nft_data_reg_snprintf(buf+offset, len, &e->data,
+				    NFT_RULE_O_JSON, flags, type);
 			SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-		}
-		ret = snprintf(buf+offset, len, "\"");
+
+		ret = snprintf(buf+offset, size, "}");
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}
 
@@ -514,7 +520,7 @@ int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *e,
 	case NFT_SET_O_XML:
 		return nft_set_elem_snprintf_xml(buf, size, e, flags);
 	case NFT_SET_O_JSON:
-		return nft_set_elem_snprintf_json(buf, size, e);
+		return nft_set_elem_snprintf_json(buf, size, e, flags);
 	default:
 		break;
 	}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftables PATCH 2/2] chain: json: use string to identify policy

[Alvaro Neira]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

* if we don't have hooknum we don't need to print the policy tag
* If we have hooknum, i have used the policy2str function for printing the policy with
"accept" string or "drop" string

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 src/chain.c |   66 ++++++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 40 insertions(+), 26 deletions(-)

diff --git a/src/chain.c b/src/chain.c
index bdbaf60..e2738d5 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -717,9 +717,24 @@ int nft_chain_parse(struct nft_chain *c, enum nft_chain_parse_type type,
 }
 EXPORT_SYMBOL(nft_chain_parse);
 
+static const char *policy2str(int policy)
+{
+	switch (policy) {
+	case NF_ACCEPT:
+		return "accept";
+	case NF_DROP:
+		return "drop";
+	default:
+		break;
+	}
+	return "unknown";
+}
+
 static int nft_chain_snprintf_json(char *buf, size_t size, struct nft_chain *c)
 {
-	return snprintf(buf, size,
+	int ret, len = size, offset = 0;
+
+	ret = snprintf(buf, size,
 		"{ \"chain\": {"
 			"\"name\": \"%s\","
 			"\"handle\": %"PRIu64","
@@ -727,20 +742,32 @@ static int nft_chain_snprintf_json(char *buf, size_t size, struct nft_chain *c)
 			"\"packets\": %"PRIu64","
 			"\"version\": %d,"
 			"\"properties\": {"
-				"\"type\" : \"%s\","
-				"\"table\" : \"%s\","
-				"\"prio\" : %d,"
-				"\"use\" : %d,"
-				"\"hooknum\" : \"%s\","
-				"\"policy\" : %d,"
-				"\"family\" : \"%s\""
+				"\"family\": \"%s\","
+				"\"table\": \"%s\","
+				"\"use\": %d",
+			c->name, c->handle, c->bytes, c->packets,
+			NFT_CHAIN_JSON_VERSION, c->table,
+			nft_family2str(c->family), c->use);
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+
+	if (c->flags & (1 << NFT_CHAIN_ATTR_HOOKNUM)) {
+		ret =  snprintf(buf+offset, size,
+				",\"type\": \"%s\","
+				"\"hooknum\": \"%s\","
+				"\"prio\": %d,"
+				"\"policy\": \"%s\"",
+			c->type, hooknum2str_array[c->hooknum], c->prio,
+			policy2str(c->policy));
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	}
+
+	ret = snprintf(buf+offset, size,
 			"}"
 		"}"
-		"}",
-			c->name, c->handle, c->bytes, c->packets,
-			NFT_CHAIN_JSON_VERSION, c->type, c->table,
-			c->prio, c->use, hooknum2str_array[c->hooknum],
-			c->policy, nft_family2str(c->family));
+		"}");
+	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+
+	return offset;
 }
 
 static int nft_chain_snprintf_xml(char *buf, size_t size, struct nft_chain *c)
@@ -780,19 +807,6 @@ static int nft_chain_snprintf_xml(char *buf, size_t size, struct nft_chain *c)
 	return offset;
 }
 
-static const char *policy2str(int policy)
-{
-	switch (policy) {
-	case NF_ACCEPT:
-		return "accept";
-	case NF_DROP:
-		return "drop";
-	default:
-		break;
-	}
-	return "unknown";
-}
-
 static int nft_chain_snprintf_default(char *buf, size_t size,
 				      struct nft_chain *c)
 {

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 1/2] set: json: fix incomplete output

[Pablo Neira Ayuso]

On Mon, Jul 15, 2013 at 09:30:52PM +0200, Alvaro Neira wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
> 
> In (bf39c53 set: add json output), the json support for sets was
> incomplete:
> 
> * version, family, key_type, key_len, data_type, data_len were not included.
> * Now I use nft_data_reg_snprintf for printing the key and data

Applied, thanks Alvaro.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH 2/2] chain: json: use string to identify policy

[Pablo Neira Ayuso]

On Mon, Jul 15, 2013 at 09:31:00PM +0200, Alvaro Neira wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
> 
> * if we don't have hooknum we don't need to print the policy tag
> * If we have hooknum, i have used the policy2str function for printing the policy with
> "accept" string or "drop" string

Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html