From patchwork Wed May 15 10:19:02 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero X-Patchwork-Id: 243966 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 053B82C009C for ; Wed, 15 May 2013 20:19:11 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752987Ab3EOKTJ (ORCPT ); Wed, 15 May 2013 06:19:09 -0400 Received: from smtp3.cica.es ([150.214.5.190]:56445 "EHLO smtp.cica.es" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752140Ab3EOKTH (ORCPT ); Wed, 15 May 2013 06:19:07 -0400 Received: from localhost (unknown [127.0.0.1]) by smtp.cica.es (Postfix) with ESMTP id 6942E51ED61; Wed, 15 May 2013 10:19:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at cica.es Received: from smtp.cica.es ([127.0.0.1]) by localhost (mail.cica.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CqdE-Jh0H0gU; Wed, 15 May 2013 12:19:04 +0200 (CEST) Received: from nfdev.cica.es (nfdev.cica.es [IPv6:2a00:9ac0:c1ca:31::220]) by smtp.cica.es (Postfix) with ESMTP id 2A82851ED45; Wed, 15 May 2013 12:19:03 +0200 (CEST) Subject: [libnftables PATCH] examples: XML parsing examples To: netfilter-devel@vger.kernel.org From: Arturo Borrero Cc: pablo@netfilter.org Date: Wed, 15 May 2013 12:19:02 +0200 Message-ID: <20130515101902.3787.99657.stgit@nfdev.cica.es> User-Agent: StGit/0.15 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Some code snipplets to add tables/chain/rules using the XML representation. The examples contains: * A binary to parse/add the object using libnftables. * A shellscript to easily call that binary, doing some tests. I included my name in new files, but I don't know if this is correct. Please let me know. Instructions: $ make nft-table-xml-add # ./nft-table-xml-add.sh Signed-off-by: Arturo Borrero Gonzalez --- examples/Makefile.am | 48 ++++++++++------ examples/nft-chain-xml-add.c | 92 +++++++++++++++++++++++++++++++ examples/nft-chain-xml-add.sh | 104 +++++++++++++++++++++++++++++++++++ examples/nft-rule-xml-add.c | 90 ++++++++++++++++++++++++++++++ examples/nft-rule-xml-add.sh | 122 +++++++++++++++++++++++++++++++++++++++++ examples/nft-table-xml-add.c | 93 +++++++++++++++++++++++++++++++ examples/nft-table-xml-add.sh | 88 ++++++++++++++++++++++++++++++ 7 files changed, 619 insertions(+), 18 deletions(-) create mode 100644 examples/nft-chain-xml-add.c create mode 100755 examples/nft-chain-xml-add.sh create mode 100644 examples/nft-rule-xml-add.c create mode 100755 examples/nft-rule-xml-add.sh create mode 100644 examples/nft-table-xml-add.c create mode 100755 examples/nft-table-xml-add.sh -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/examples/Makefile.am b/examples/Makefile.am index 1c39e12..dcf798a 100644 --- a/examples/Makefile.am +++ b/examples/Makefile.am @@ -1,13 +1,16 @@ include $(top_srcdir)/Make_global.am check_PROGRAMS = nft-table-add \ + nft-table-xml-add \ nft-table-upd \ nft-table-del \ nft-table-get \ nft-chain-add \ + nft-chain-xml-add \ nft-chain-del \ nft-chain-get \ nft-rule-add \ + nft-rule-xml-add \ nft-rule-del \ nft-rule-get \ nft-events \ @@ -20,55 +23,64 @@ check_PROGRAMS = nft-table-add \ nft-compat-get nft_table_add_SOURCES = nft-table-add.c -nft_table_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} + +nft_table_xml_add_SOURCES = nft-table-xml-add.c +nft_table_xml_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_table_upd_SOURCES = nft-table-upd.c -nft_table_upd_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_upd_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_table_del_SOURCES = nft-table-del.c -nft_table_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_table_get_SOURCES = nft-table-get.c -nft_table_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_table_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_chain_add_SOURCES = nft-chain-add.c -nft_chain_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_chain_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} + +nft_chain_xml_add_SOURCES = nft-chain-xml-add.c +nft_chain_xml_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_chain_del_SOURCES = nft-chain-del.c -nft_chain_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_chain_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_chain_get_SOURCES = nft-chain-get.c -nft_chain_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_chain_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_rule_add_SOURCES = nft-rule-add.c -nft_rule_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} + +nft_rule_xml_add_SOURCES = nft-rule-xml-add.c +nft_rule_xml_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_rule_del_SOURCES = nft-rule-del.c -nft_rule_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_rule_get_SOURCES = nft-rule-get.c -nft_rule_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_rule_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_events_SOURCES = nft-events.c -nft_events_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_events_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_set_add_SOURCES = nft-set-add.c -nft_set_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_set_del_SOURCES = nft-set-del.c -nft_set_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_set_get_SOURCES = nft-set-get.c -nft_set_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_set_elem_add_SOURCES = nft-set-elem-add.c -nft_set_elem_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_elem_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_set_elem_del_SOURCES = nft-set-elem-del.c -nft_set_elem_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_elem_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_set_elem_get_SOURCES = nft-set-elem-get.c -nft_set_elem_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_set_elem_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} nft_compat_get_SOURCES = nft-compat-get.c -nft_compat_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} +nft_compat_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS} diff --git a/examples/nft-chain-xml-add.c b/examples/nft-chain-xml-add.c new file mode 100644 index 0000000..f06cab4 --- /dev/null +++ b/examples/nft-chain-xml-add.c @@ -0,0 +1,92 @@ +/* + * 2013 by Arturo Borrero Gonzalez + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include + +#include +#include + +#include +#include +#include + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq; + struct nft_chain *c = NULL; + int ret; + uint16_t family; + + if (argc < 2) { + printf("Usage: %s \"\"\n", argv[0]); + exit(EXIT_FAILURE); + } + + char *xml = argv[1]; + + c = nft_chain_alloc(); + if (c == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + if (nft_chain_parse(c, NFT_CHAIN_PARSE_XML, xml) < 0) { + printf("E: Unable to parse given XML.\n"); + perror("error"); + exit(EXIT_FAILURE); + } + + family = (uint16_t)nft_chain_attr_get_u32(c, NFT_CHAIN_ATTR_FAMILY); + + seq = time(NULL); + nlh = nft_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, family, + NLM_F_ACK, seq); + nft_chain_nlmsg_build_payload(nlh, c); + nft_chain_free(c); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + + mnl_socket_close(nl); + return EXIT_SUCCESS; +} diff --git a/examples/nft-chain-xml-add.sh b/examples/nft-chain-xml-add.sh new file mode 100755 index 0000000..4436786 --- /dev/null +++ b/examples/nft-chain-xml-add.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +# +# (C) 2013 by Arturo Borrero Gonzalez +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# + +# This is a small testbench for adding nftables chains to kernel +# in XML format. + +BINARY="./nft-chain-xml-add" +NFT="$( which nft )" +if [ ! -x "$BINARY" ] ; then + echo "E: Binary not found $BINARY" + exit 1 +fi +[ ! -x "$NFT" ] && echo "W: nftables main binary not found but continuing anyway $NFT" + +XML=" + + filter + filter
+ 0 + 0 + 2 + 1 + 2 + +" + +$NFT delete chain ip filter test1 2>/dev/null >&2 +if ! $BINARY "$XML" ; then + echo "E: Unable to add XML:" + echo "$XML" + exit 1 +fi + +echo "I: Added XML:" +echo "$XML" + +# This is valid (as long as the table exist) +XML=" + + filter + filter
+ 1 + 0 + 4 + 1 + 10 + +" + +$NFT delete chain ip6 filter test2 2>/dev/null >&2 +if ! $BINARY "$XML" ; then + echo "E: Unable to add XML:" + echo "$XML" + exit 1 +fi + +# This is valid (as long as the table exist) +XML=" + + filter + filter
+ 0 + 0 + 4 + 1 + 2 + + " + +if ! $BINARY "$XML" ; then + echo "E: Unable to add XML:" + echo "$XML" + exit 1 +fi + +# This is invalid +XML=" + + asdasd + filter + filter
+ asdasd + asdasd + asdasd + asdasd + asdasd + + " + +if $BINARY "$XML" 2>/dev/null; then + echo "E: Accepted invalid XML:" + echo "$XML" + exit 1 +fi + +echo "I: The test ended succefully" diff --git a/examples/nft-rule-xml-add.c b/examples/nft-rule-xml-add.c new file mode 100644 index 0000000..4d2e787 --- /dev/null +++ b/examples/nft-rule-xml-add.c @@ -0,0 +1,90 @@ +/* + * 2013 by Arturo Borrero Gonzalez + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include /* for offsetof */ +#include +#include + +#include +#include + +#include +#include + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq; + struct nft_rule *r = NULL; + int ret; + uint8_t family; + + if (argc < 2) { + printf("Usage: %s \n", argv[0]); + exit(EXIT_FAILURE); + } + + char *xml = argv[1]; + + r = nft_rule_alloc(); + if (r == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + if (nft_rule_parse(r, NFT_RULE_PARSE_XML, xml) < 0) { + printf("E: Unable to parse the XML\n"); + exit(EXIT_FAILURE); + } + + family = nft_rule_attr_get_u8(r, NFT_RULE_ATTR_FAMILY); + + seq = time(NULL); + nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, family, + NLM_F_APPEND|NLM_F_ACK, seq); + nft_rule_nlmsg_build_payload(nlh, r); + nft_rule_free(r); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-rule-xml-add.sh b/examples/nft-rule-xml-add.sh new file mode 100755 index 0000000..4e85abd --- /dev/null +++ b/examples/nft-rule-xml-add.sh @@ -0,0 +1,122 @@ +#!/bin/bash + +# +# (C) 2013 by Arturo Borrero Gonzalez +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. + +# This is a small testbench for adding nftables rules to kernel +# in XML format. + +BINARY="./nft-rule-xml-add" +NFT="$( which nft )" +if [ ! -x "$BINARY" ] ; then + echo "E: Binary not found $BINARY" + exit 1 +fi +[ ! -x "$NFT" ] && echo "W: nftables main binary not found but continuing anyway $NFT" + +XML=" + 0 + 127 + 0 + 0 + + 1 + 4 + + + 1 + eq + + + 1 + 0x04000000 + + + + + 1 + 1 + 12 + 4 + + + 1 + eq + + + 1 + 0x96d60496 + + + + + 1 + 1 + 16 + 4 + + + 1 + eq + + + 1 + 0x96d60329 + + + + + 1 + 1 + 9 + 1 + + + 1 + eq + + + 1 + 0x06000000 + + + + + state + 0 + + + + + 123123 + 321321 + + + LOG + 0 + + + +" + +$NFT add table filter 2>/dev/null >&2 +$NFT add chain filter INPUT 2>/dev/null >&2 + +if ! $BINARY "$XML" ; then + echo "E: Unable to add XML:" +# echo "$XML" + exit 1 +fi + +echo "I: Added XML:" +#echo "$XML" + +echo "I: The test ended succefully" + + + diff --git a/examples/nft-table-xml-add.c b/examples/nft-table-xml-add.c new file mode 100644 index 0000000..5baf6cd --- /dev/null +++ b/examples/nft-table-xml-add.c @@ -0,0 +1,93 @@ +/* + * 2013 by Arturo Borrero Gonzalez + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include + +#include + +#include +#include + +extern struct nft_table nft_table; + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq; + struct nft_table *t = NULL; + int ret; + uint16_t family; + char *xml; + + if (argc < 2) { + printf("Usage: %s \"\"\n", argv[0]); + exit(EXIT_FAILURE); + } + + xml = argv[1]; + + t = nft_table_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + /* Parsing XML now */ + if (nft_table_parse(t, NFT_TABLE_PARSE_XML, xml) < 0) { + printf("E: Unable to parse the XML.\n"); + perror("error"); + exit(EXIT_FAILURE); + } + + family = (uint16_t)nft_table_attr_get_u32(t, NFT_TABLE_ATTR_FAMILY); + + seq = time(NULL); + + nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, family, + NLM_F_ACK, seq); + nft_table_nlmsg_build_payload(nlh, t); + nft_table_free(t); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-table-xml-add.sh b/examples/nft-table-xml-add.sh new file mode 100755 index 0000000..55a44f5 --- /dev/null +++ b/examples/nft-table-xml-add.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# (C) 2013 by Arturo Borrero Gonzalez +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# + +# This is a small testbench for adding nftables tables to kernel +# in XML format. + +BINARY="./nft-table-xml-add" +NFT="$( which nft )" + +if [ ! -x "$BINARY" ] ; then + echo "E: Binary not found $BINARY" + exit 1 +fi + +if [ ! -x "$NFT" ] ; then + echo "W: nftables main binary not found but continuing anyway $NFT" +fi + +# This is valid +XML=" + + 2 + 0 + +
" + +# Delete +$NFT delete table filter_test 2>/dev/null >&2 + +# Add +if ! $BINARY "$XML" ; then + echo "E: Unable to add XML:" + echo "$XML" + exit 1 +fi + +echo "I: Added XML:" +echo "$XML" + +# This is valid +XML=" + + 10 + 0 + +
" + +# Delete +$NFT delete table filter6_test 2>/dev/null >&2 + +# Add +if ! $BINARY "$XML" ; then + echo "E: Unable to add XML:" + echo "$XML" + exit 1 +fi + +echo "I: Added XML:" +echo "$XML" + +# This is invalid +XML=" + + 4 + 5asd + 013ax4<123/table_flags> + +" + +if $BINARY "$XML" 2>/dev/null; then + echo "E: Accepted invalid XML:" + echo "$XML" + exit 1 +fi + +echo "I: Not added XML:" +echo "$XML" + + +echo "I: This test was succefully."