* [PATCH 0/3] xtables-events segfault
@ 2014-02-06 13:31 Giuseppe Longo
2014-02-06 13:31 ` [PATCH 1/3] nft-shared: adds save_matches_and_target Giuseppe Longo
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Giuseppe Longo @ 2014-02-06 13:31 UTC (permalink / raw)
To: netfilter-devel; +Cc: Giuseppe Longo
Hi,
this patchset fixes the segfault obtained if you try
to add a rule for arp family.
I added a new function into nft-shared that will be
used to print matches and target for ip/ip6/family
and reworked a bit the code.
The function nft_arp_save_firewall isn't implemented yet,
I'll send another patch later.
Currently is not possible to print ebtables rules,
when xtables-eb is ready, I'll do it.
BR,
Giuseppe Longo (3):
nft-shared: adds save_matches_and_target
nft-arp: adds nft_arp_save_firewall
xtables-events: prints arp rules
iptables/nft-arp.c | 9 +++++++++
iptables/nft-ipv4.c | 7 +++++--
iptables/nft-ipv6.c | 7 +++++--
iptables/nft-shared.c | 35 +++++++++++++++++++++++++++++++++++
iptables/nft-shared.h | 6 +++++-
iptables/nft.c | 33 ++-------------------------------
iptables/nft.h | 2 +-
iptables/xtables-events.c | 20 +++++++++++++-------
8 files changed, 75 insertions(+), 44 deletions(-)
--
1.8.1.5
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/3] nft-shared: adds save_matches_and_target
2014-02-06 13:31 [PATCH 0/3] xtables-events segfault Giuseppe Longo
@ 2014-02-06 13:31 ` Giuseppe Longo
2014-02-06 13:31 ` [PATCH 2/3] nft-arp: adds nft_arp_save_firewall Giuseppe Longo
2014-02-06 13:31 ` [PATCH 3/3] xtables-events: prints arp rules Giuseppe Longo
2 siblings, 0 replies; 6+ messages in thread
From: Giuseppe Longo @ 2014-02-06 13:31 UTC (permalink / raw)
To: netfilter-devel; +Cc: Giuseppe Longo
This patch permits to save matches and target for ip/ip6/eb family,
required for xtables-events.
Also, generalizes nft_rule_print_save to be reused for all protocol families.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
iptables/nft-ipv4.c | 7 +++++--
iptables/nft-ipv6.c | 7 +++++--
iptables/nft-shared.c | 35 +++++++++++++++++++++++++++++++++++
iptables/nft-shared.h | 6 +++++-
iptables/nft.c | 33 ++-------------------------------
iptables/nft.h | 2 +-
6 files changed, 53 insertions(+), 37 deletions(-)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 1afe8b6..e18a649 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -309,9 +309,11 @@ static void save_ipv4_addr(char letter, const struct in_addr *addr,
mask_to_str(mask));
}
-static uint8_t nft_ipv4_save_firewall(const struct iptables_command_state *cs,
+static void nft_ipv4_save_firewall(const void *data,
unsigned int format)
{
+ const struct iptables_command_state *cs = data;
+
save_firewall_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto,
cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
@@ -328,7 +330,8 @@ static uint8_t nft_ipv4_save_firewall(const struct iptables_command_state *cs,
save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr,
cs->fw.ip.invflags & IPT_INV_DSTIP);
- return cs->fw.ip.flags;
+ save_matches_and_target(cs->matches, cs->target, cs->jumpto,
+ cs->fw.ip.flags, &cs);
}
static void nft_ipv4_proto_parse(struct iptables_command_state *cs,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index f30cec6..4beb411 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -218,9 +218,11 @@ static void save_ipv6_addr(char letter, const struct in6_addr *addr,
printf("%s-%c %s ", invert ? "! " : "", letter, addr_str);
}
-static uint8_t nft_ipv6_save_firewall(const struct iptables_command_state *cs,
+static void nft_ipv6_save_firewall(const void *data,
unsigned int format)
{
+ const struct iptables_command_state *cs = data;
+
save_firewall_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto,
cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask,
@@ -231,7 +233,8 @@ static uint8_t nft_ipv6_save_firewall(const struct iptables_command_state *cs,
save_ipv6_addr('d', &cs->fw6.ipv6.dst,
cs->fw6.ipv6.invflags & IPT_INV_DSTIP);
- return cs->fw6.ipv6.flags;
+ save_matches_and_target(cs->matches, cs->target, cs->jumpto,
+ cs->fw6.ipv6.flags, &cs);
}
/* These are invalid numbers as upper layer protocol */
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 233011c..29bfab7 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -621,6 +621,41 @@ void save_firewall_details(const struct iptables_command_state *cs,
}
}
+void save_matches_and_target(struct xtables_rule_match *m,
+ struct xtables_target *target,
+ const char *jumpto,
+ uint8_t flags, void *fw)
+{
+ struct xtables_rule_match *matchp;
+
+ for (matchp = m; matchp; matchp = matchp->next) {
+ if (matchp->match->alias) {
+ printf("-m %s",
+ matchp->match->alias(matchp->match->m));
+ } else
+ printf("-m %s", matchp->match->name);
+
+ if (matchp->match->save != NULL) {
+ /* cs->fw union makes the trick */
+ matchp->match->save(&fw, matchp->match->m);
+ }
+ printf(" ");
+ }
+
+ if (target != NULL) {
+ if (target->alias) {
+ printf("-j %s", target->alias(target->t));
+ } else
+ printf("-j %s", jumpto);
+
+ if (target->save != NULL)
+ target->save(fw, target->t);
+ } else if (strlen(jumpto) > 0)
+ printf("-%c %s", flags & IPT_F_GOTO ? 'g' : 'j', jumpto);
+
+ printf("\n");
+}
+
void print_matches_and_target(struct iptables_command_state *cs,
unsigned int format)
{
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 9df17bc..676cdca 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -49,7 +49,7 @@ struct nft_family_ops {
void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
void (*print_firewall)(struct nft_rule *r, unsigned int num,
unsigned int format);
- uint8_t (*save_firewall)(const struct iptables_command_state *cs,
+ void (*save_firewall)(const void *data,
unsigned int format);
void (*proto_parse)(struct iptables_command_state *cs,
struct xtables_args *args);
@@ -118,6 +118,10 @@ void save_firewall_details(const struct iptables_command_state *cs,
const char *outiface,
unsigned const char *outiface_mask,
unsigned int format);
+void save_matches_and_target(struct xtables_rule_match *m,
+ struct xtables_target *target,
+ const char *jumpto,
+ uint8_t flags, void *fw);
struct nft_family_ops *nft_family_ops_lookup(int family);
diff --git a/iptables/nft.c b/iptables/nft.c
index 8c8c026..cde2493 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1038,15 +1038,13 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
}
void
-nft_rule_print_save(const struct iptables_command_state *cs,
+nft_rule_print_save(const void *data,
struct nft_rule *r, enum nft_rule_print type,
unsigned int format)
{
const char *chain = nft_rule_attr_get_str(r, NFT_RULE_ATTR_CHAIN);
int family = nft_rule_attr_get_u8(r, NFT_RULE_ATTR_FAMILY);
- struct xtables_rule_match *matchp;
struct nft_family_ops *ops;
- int ip_flags = 0;
/* print chain name */
switch(type) {
@@ -1059,35 +1057,8 @@ nft_rule_print_save(const struct iptables_command_state *cs,
}
ops = nft_family_ops_lookup(family);
- ip_flags = ops->save_firewall(cs, format);
-
- for (matchp = cs->matches; matchp; matchp = matchp->next) {
- if (matchp->match->alias) {
- printf("-m %s",
- matchp->match->alias(matchp->match->m));
- } else
- printf("-m %s", matchp->match->name);
-
- if (matchp->match->save != NULL) {
- /* cs->fw union makes the trick */
- matchp->match->save(&cs->fw, matchp->match->m);
- }
- printf(" ");
- }
-
- if (cs->target != NULL) {
- if (cs->target->alias) {
- printf("-j %s", cs->target->alias(cs->target->t));
- } else
- printf("-j %s", cs->jumpto);
+ ops->save_firewall(data, format);
- if (cs->target->save != NULL)
- cs->target->save(&cs->fw, cs->target->t);
- } else if (strlen(cs->jumpto) > 0)
- printf("-%c %s", ip_flags & IPT_F_GOTO ? 'g' : 'j',
- cs->jumpto);
-
- printf("\n");
}
static int nft_chain_list_cb(const struct nlmsghdr *nlh, void *data)
diff --git a/iptables/nft.h b/iptables/nft.h
index 68f674e..fc380d9 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -115,7 +115,7 @@ enum nft_rule_print {
NFT_RULE_DEL,
};
-void nft_rule_print_save(const struct iptables_command_state *cs,
+void nft_rule_print_save(const void *data,
struct nft_rule *r, enum nft_rule_print type,
unsigned int format);
--
1.8.1.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/3] nft-arp: adds nft_arp_save_firewall
2014-02-06 13:31 [PATCH 0/3] xtables-events segfault Giuseppe Longo
2014-02-06 13:31 ` [PATCH 1/3] nft-shared: adds save_matches_and_target Giuseppe Longo
@ 2014-02-06 13:31 ` Giuseppe Longo
2014-02-07 18:27 ` Pablo Neira Ayuso
2014-02-06 13:31 ` [PATCH 3/3] xtables-events: prints arp rules Giuseppe Longo
2 siblings, 1 reply; 6+ messages in thread
From: Giuseppe Longo @ 2014-02-06 13:31 UTC (permalink / raw)
To: netfilter-devel; +Cc: Giuseppe Longo
Adds nft_arp_save_firewall to arp family.
(Avoids the segfault in xtables-events)
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
iptables/nft-arp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 1710136..bbb168d 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -570,6 +570,14 @@ after_devdst:
fputc('\n', stdout);
}
+static void nft_arp_save_firewall(const void *data,
+ unsigned int format)
+{
+ const struct arpt_entry *fw = data;
+
+ return;
+}
+
static bool nft_arp_is_same(const void *data_a,
const void *data_b)
{
@@ -643,6 +651,7 @@ struct nft_family_ops nft_family_ops_arp = {
.parse_payload = nft_arp_parse_payload,
.parse_immediate = nft_arp_parse_immediate,
.print_firewall = nft_arp_print_firewall,
+ .save_firewall = nft_arp_save_firewall,
.post_parse = NULL,
.rule_find = nft_arp_rule_find,
.parse_target = nft_arp_parse_target,
--
1.8.1.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/3] xtables-events: prints arp rules
2014-02-06 13:31 [PATCH 0/3] xtables-events segfault Giuseppe Longo
2014-02-06 13:31 ` [PATCH 1/3] nft-shared: adds save_matches_and_target Giuseppe Longo
2014-02-06 13:31 ` [PATCH 2/3] nft-arp: adds nft_arp_save_firewall Giuseppe Longo
@ 2014-02-06 13:31 ` Giuseppe Longo
2014-02-07 18:28 ` Pablo Neira Ayuso
2 siblings, 1 reply; 6+ messages in thread
From: Giuseppe Longo @ 2014-02-06 13:31 UTC (permalink / raw)
To: netfilter-devel; +Cc: Giuseppe Longo
This patch permits to print arp rules,
avoiding the segfault that you got currently.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
iptables/xtables-events.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/iptables/xtables-events.c b/iptables/xtables-events.c
index 408e091..7ce1d4f 100644
--- a/iptables/xtables-events.c
+++ b/iptables/xtables-events.c
@@ -59,7 +59,11 @@ static bool counters;
static int rule_cb(const struct nlmsghdr *nlh, int type)
{
struct iptables_command_state cs = {};
+ struct arpt_entry fw_arp = {};
+ struct xtables_ebt_entry fw_eb = {};
struct nft_rule *r;
+ void *fw = NULL;
+ uint8_t family;
r = nft_rule_alloc();
if (r == NULL) {
@@ -72,21 +76,23 @@ static int rule_cb(const struct nlmsghdr *nlh, int type)
goto err_free;
}
- nft_rule_to_iptables_command_state(r, &cs);
-
- switch(nft_rule_attr_get_u8(r, NFT_RULE_ATTR_FAMILY)) {
+ family = nft_rule_attr_get_u8(r, NFT_RULE_ATTR_FAMILY);
+ switch(family) {
case AF_INET:
- printf("-4 ");
- break;
case AF_INET6:
- printf("-6 ");
+ printf("-%c ", family == AF_INET ? '4' : '6');
+ nft_rule_to_iptables_command_state(r, &cs);
+ fw = &cs;
break;
+ case NFPROTO_ARP:
+ nft_rule_to_arpt_entry(r, &fw_arp);
+ fw = &fw_arp;
default:
break;
}
- nft_rule_print_save(&cs, r,
+ nft_rule_print_save(fw, r,
type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND :
NFT_RULE_DEL,
counters ? 0 : FMT_NOCOUNTS);
--
1.8.1.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 2/3] nft-arp: adds nft_arp_save_firewall
2014-02-06 13:31 ` [PATCH 2/3] nft-arp: adds nft_arp_save_firewall Giuseppe Longo
@ 2014-02-07 18:27 ` Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-07 18:27 UTC (permalink / raw)
To: Giuseppe Longo; +Cc: netfilter-devel
Hi Giuseppe,
On Thu, Feb 06, 2014 at 02:31:10PM +0100, Giuseppe Longo wrote:
> Adds nft_arp_save_firewall to arp family.
> (Avoids the segfault in xtables-events)
>
> Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
> ---
> iptables/nft-arp.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
> index 1710136..bbb168d 100644
> --- a/iptables/nft-arp.c
> +++ b/iptables/nft-arp.c
> @@ -570,6 +570,14 @@ after_devdst:
> fputc('\n', stdout);
> }
>
> +static void nft_arp_save_firewall(const void *data,
> + unsigned int format)
> +{
> + const struct arpt_entry *fw = data;
> +
> + return;
> +}
Please, rework patch 1/3 to make save_firewall option, ie. something
like:
...
if (ops->save_firewall)
ops->save_firewall(data, format);
Thus, you don't need this dummy function which is almost noop.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 3/3] xtables-events: prints arp rules
2014-02-06 13:31 ` [PATCH 3/3] xtables-events: prints arp rules Giuseppe Longo
@ 2014-02-07 18:28 ` Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-07 18:28 UTC (permalink / raw)
To: Giuseppe Longo; +Cc: netfilter-devel
On Thu, Feb 06, 2014 at 02:31:11PM +0100, Giuseppe Longo wrote:
> This patch permits to print arp rules,
> avoiding the segfault that you got currently.
>
> Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
> ---
> iptables/xtables-events.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/iptables/xtables-events.c b/iptables/xtables-events.c
> index 408e091..7ce1d4f 100644
> --- a/iptables/xtables-events.c
> +++ b/iptables/xtables-events.c
> @@ -59,7 +59,11 @@ static bool counters;
> static int rule_cb(const struct nlmsghdr *nlh, int type)
> {
> struct iptables_command_state cs = {};
> + struct arpt_entry fw_arp = {};
> + struct xtables_ebt_entry fw_eb = {};
There is no ebt compat yet, please, remove this line above.
> struct nft_rule *r;
> + void *fw = NULL;
> + uint8_t family;
>
> r = nft_rule_alloc();
> if (r == NULL) {
> @@ -72,21 +76,23 @@ static int rule_cb(const struct nlmsghdr *nlh, int type)
> goto err_free;
> }
>
> - nft_rule_to_iptables_command_state(r, &cs);
> -
> - switch(nft_rule_attr_get_u8(r, NFT_RULE_ATTR_FAMILY)) {
> + family = nft_rule_attr_get_u8(r, NFT_RULE_ATTR_FAMILY);
> + switch(family) {
> case AF_INET:
> - printf("-4 ");
> - break;
> case AF_INET6:
> - printf("-6 ");
> + printf("-%c ", family == AF_INET ? '4' : '6');
> + nft_rule_to_iptables_command_state(r, &cs);
> + fw = &cs;
> break;
> + case NFPROTO_ARP:
> + nft_rule_to_arpt_entry(r, &fw_arp);
> + fw = &fw_arp;
> default:
> break;
> }
>
>
> - nft_rule_print_save(&cs, r,
> + nft_rule_print_save(fw, r,
> type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND :
> NFT_RULE_DEL,
> counters ? 0 : FMT_NOCOUNTS);
> --
> 1.8.1.5
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-02-07 18:28 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-06 13:31 [PATCH 0/3] xtables-events segfault Giuseppe Longo
2014-02-06 13:31 ` [PATCH 1/3] nft-shared: adds save_matches_and_target Giuseppe Longo
2014-02-06 13:31 ` [PATCH 2/3] nft-arp: adds nft_arp_save_firewall Giuseppe Longo
2014-02-07 18:27 ` Pablo Neira Ayuso
2014-02-06 13:31 ` [PATCH 3/3] xtables-events: prints arp rules Giuseppe Longo
2014-02-07 18:28 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.