libnftnl  1.0.2
data_reg.c
1 /*
2  * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License as published
6  * by the Free Software Foundation; either version 2 of the License, or
7  * (at your option) any later version.
8  *
9  * This code has been sponsored by Sophos Astaro <http://www.sophos.com>
10  */
11 
12 #include <stdio.h>
13 #include <stdint.h>
14 #include <string.h>
15 #include <limits.h>
16 #include <arpa/inet.h>
17 #include <errno.h>
18 #include <netinet/in.h>
19 
20 #include <libmnl/libmnl.h>
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/nf_tables.h>
23 #include <libnftnl/expr.h>
24 #include <libnftnl/rule.h>
25 #include "expr_ops.h"
26 #include "data_reg.h"
27 #include "internal.h"
28 
29 #ifdef JSON_PARSING
30 static int nft_data_reg_verdict_json_parse(union nft_data_reg *reg, json_t *data,
31  struct nft_parse_err *err)
32 {
33  int verdict;
34  const char *verdict_str;
35  const char *chain;
36 
37  verdict_str = nft_jansson_parse_str(data, "verdict", err);
38  if (verdict_str == NULL)
39  return DATA_NONE;
40 
41  if (nft_str2verdict(verdict_str, &verdict) != 0) {
42  err->node_name = "verdict";
43  err->error = NFT_PARSE_EBADTYPE;
44  errno = EINVAL;
45  return -1;
46  }
47 
48  reg->verdict = (uint32_t)verdict;
49 
50  if (nft_jansson_node_exist(data, "chain")) {
51  chain = nft_jansson_parse_str(data, "chain", err);
52  if (chain == NULL)
53  return DATA_NONE;
54 
55  reg->chain = strdup(chain);
56  }
57 
58  return DATA_VERDICT;
59 }
60 
61 static int nft_data_reg_value_json_parse(union nft_data_reg *reg, json_t *data,
62  struct nft_parse_err *err)
63 {
64  int i;
65  char node_name[6];
66 
67  if (nft_jansson_parse_val(data, "len", NFT_TYPE_U8, &reg->len, err) < 0)
68  return DATA_NONE;
69 
70  for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) {
71  sprintf(node_name, "data%d", i);
72 
73  if (nft_jansson_str2num(data, node_name, BASE_HEX,
74  &reg->val[i], NFT_TYPE_U32, err) != 0)
75  return DATA_NONE;
76  }
77 
78  return DATA_VALUE;
79 }
80 #endif
81 
82 int nft_data_reg_json_parse(union nft_data_reg *reg, json_t *data,
83  struct nft_parse_err *err)
84 {
85 #ifdef JSON_PARSING
86 
87  const char *type;
88 
89  type = nft_jansson_parse_str(data, "type", err);
90  if (type == NULL)
91  return -1;
92 
93  /* Select what type of parsing is needed */
94  if (strcmp(type, "value") == 0)
95  return nft_data_reg_value_json_parse(reg, data, err);
96  else if (strcmp(type, "verdict") == 0)
97  return nft_data_reg_verdict_json_parse(reg, data, err);
98 
99  return DATA_NONE;
100 #else
101  errno = EOPNOTSUPP;
102  return -1;
103 #endif
104 }
105 
106 #ifdef XML_PARSING
107 static int nft_data_reg_verdict_xml_parse(union nft_data_reg *reg,
108  mxml_node_t *tree,
109  struct nft_parse_err *err)
110 {
111  int verdict;
112  const char *verdict_str;
113  const char *chain;
114 
115  verdict_str = nft_mxml_str_parse(tree, "verdict", MXML_DESCEND_FIRST,
116  NFT_XML_MAND, err);
117  if (verdict_str == NULL)
118  return DATA_NONE;
119 
120  if (nft_str2verdict(verdict_str, &verdict) != 0) {
121  err->node_name = "verdict";
122  err->error = NFT_PARSE_EBADTYPE;
123  errno = EINVAL;
124  return DATA_NONE;
125  }
126 
127  reg->verdict = (uint32_t)verdict;
128 
129  chain = nft_mxml_str_parse(tree, "chain", MXML_DESCEND_FIRST,
130  NFT_XML_OPT, err);
131  if (chain != NULL) {
132  if (reg->chain)
133  xfree(reg->chain);
134 
135  reg->chain = strdup(chain);
136  }
137 
138  return DATA_VERDICT;
139 }
140 
141 static int nft_data_reg_value_xml_parse(union nft_data_reg *reg,
142  mxml_node_t *tree,
143  struct nft_parse_err *err)
144 {
145  int i;
146  char node_name[6];
147 
148  /*
149  * <data_reg type="value">
150  * <len>16</len>
151  * <data0>0xc09a002a</data0>
152  * <data1>0x2700cac1</data1>
153  * <data2>0x00000000</data2>
154  * <data3>0x08000000</data3>
155  * </data_reg>
156  */
157 
158  if (nft_mxml_num_parse(tree, "len", MXML_DESCEND_FIRST, BASE_DEC,
159  &reg->len, NFT_TYPE_U8, NFT_XML_MAND, err) != 0)
160  return DATA_NONE;
161 
162  /* Get and set <dataN> */
163  for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) {
164  sprintf(node_name, "data%d", i);
165 
166  if (nft_mxml_num_parse(tree, node_name, MXML_DESCEND_FIRST,
167  BASE_HEX, &reg->val[i], NFT_TYPE_U32,
168  NFT_XML_MAND, err) != 0)
169  return DATA_NONE;
170  }
171 
172  return DATA_VALUE;
173 }
174 #endif
175 
176 int nft_data_reg_xml_parse(union nft_data_reg *reg, mxml_node_t *tree,
177  struct nft_parse_err *err)
178 {
179 #ifdef XML_PARSING
180  const char *type;
181  mxml_node_t *node;
182 
183  node = mxmlFindElement(tree, tree, "data_reg", "type", NULL,
184  MXML_DESCEND_FIRST);
185  if (node == NULL)
186  goto err;
187 
188  type = mxmlElementGetAttr(node, "type");
189 
190  if (type == NULL)
191  goto err;
192 
193  if (strcmp(type, "value") == 0)
194  return nft_data_reg_value_xml_parse(reg, node, err);
195  else if (strcmp(type, "verdict") == 0)
196  return nft_data_reg_verdict_xml_parse(reg, node, err);
197 
198  return DATA_NONE;
199 err:
200  errno = EINVAL;
201  err->node_name = "data_reg";
202  err->error = NFT_PARSE_EMISSINGNODE;
203  return DATA_NONE;
204 #else
205  errno = EOPNOTSUPP;
206  return -1;
207 #endif
208 }
209 
210 static int
211 nft_data_reg_value_snprintf_json(char *buf, size_t size,
212  union nft_data_reg *reg,
213  uint32_t flags)
214 {
215  int len = size, offset = 0, ret, i, j;
216  uint32_t utemp;
217  uint8_t *tmp;
218 
219  ret = snprintf(buf, len, "\"data_reg\":{\"type\":\"value\",");
220  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
221 
222  ret = snprintf(buf+offset, len, "\"len\":%u,", reg->len);
223  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
224 
225  for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) {
226  ret = snprintf(buf+offset, len, "\"data%d\":\"0x", i);
227  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
228 
229  utemp = htonl(reg->val[i]);
230  tmp = (uint8_t *)&utemp;
231 
232  for (j = 0; j<sizeof(uint32_t); j++) {
233  ret = snprintf(buf+offset, len, "%.02x", tmp[j]);
234  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
235  }
236 
237  ret = snprintf(buf+offset, len, "\",");
238  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
239  }
240  offset--;
241  ret = snprintf(buf+offset, len, "}");
242  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
243 
244  return offset;
245 }
246 
247 static
248 int nft_data_reg_value_snprintf_xml(char *buf, size_t size,
249  union nft_data_reg *reg, uint32_t flags)
250 {
251  int len = size, offset = 0, ret, i, j;
252  uint32_t be;
253  uint8_t *tmp;
254 
255  ret = snprintf(buf, len, "<data_reg type=\"value\">");
256  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
257 
258  ret = snprintf(buf+offset, len, "<len>%u</len>", reg->len);
259  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
260 
261  for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) {
262  ret = snprintf(buf+offset, len, "<data%d>0x", i);
263  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
264 
265  be = htonl(reg->val[i]);
266  tmp = (uint8_t *)&be;
267 
268  for (j = 0; j < sizeof(uint32_t); j++) {
269  ret = snprintf(buf+offset, len, "%.02x", tmp[j]);
270  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
271  }
272 
273  ret = snprintf(buf+offset, len, "</data%d>", i);
274  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
275  }
276 
277  ret = snprintf(buf+offset, len, "</data_reg>");
278  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
279 
280  return offset;
281 }
282 
283 static int
284 nft_data_reg_value_snprintf_default(char *buf, size_t size,
285  union nft_data_reg *reg, uint32_t flags)
286 {
287  int len = size, offset = 0, ret, i;
288 
289  for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) {
290  ret = snprintf(buf+offset, len, "0x%.8x ", reg->val[i]);
291  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
292  }
293 
294  return offset;
295 }
296 
297 static int
298 nft_data_reg_verdict_snprintf_def(char *buf, size_t size,
299  union nft_data_reg *reg, uint32_t flags)
300 {
301  int len = size, offset = 0, ret = 0;
302 
303  ret = snprintf(buf, size, "%s ", nft_verdict2str(reg->verdict));
304  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
305 
306  if (reg->chain != NULL) {
307  ret = snprintf(buf+offset, len, "-> %s ", reg->chain);
308  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
309  }
310 
311  return offset;
312 }
313 
314 static int
315 nft_data_reg_verdict_snprintf_xml(char *buf, size_t size,
316  union nft_data_reg *reg, uint32_t flags)
317 {
318  int len = size, offset = 0, ret = 0;
319 
320  ret = snprintf(buf, size, "<data_reg type=\"verdict\">"
321  "<verdict>%s</verdict>", nft_verdict2str(reg->verdict));
322  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
323 
324  if (reg->chain != NULL) {
325  ret = snprintf(buf+offset, len, "<chain>%s</chain>",
326  reg->chain);
327  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
328  }
329 
330  ret = snprintf(buf+offset, len, "</data_reg>");
331  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
332 
333  return offset;
334 }
335 
336 static int
337 nft_data_reg_verdict_snprintf_json(char *buf, size_t size,
338  union nft_data_reg *reg, uint32_t flags)
339 {
340  int len = size, offset = 0, ret = 0;
341 
342  ret = snprintf(buf, size, "\"data_reg\":{\"type\":\"verdict\","
343  "\"verdict\":\"%s\"", nft_verdict2str(reg->verdict));
344  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
345 
346  if (reg->chain != NULL) {
347  ret = snprintf(buf+offset, len, ",\"chain\":\"%s\"",
348  reg->chain);
349  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
350  }
351 
352  ret = snprintf(buf+offset, len, "}");
353  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
354 
355  return offset;
356 }
357 
358 int nft_data_reg_snprintf(char *buf, size_t size, union nft_data_reg *reg,
359  uint32_t output_format, uint32_t flags, int reg_type)
360 {
361  switch(reg_type) {
362  case DATA_VALUE:
363  switch(output_format) {
364  case NFT_OUTPUT_DEFAULT:
365  return nft_data_reg_value_snprintf_default(buf, size,
366  reg, flags);
367  case NFT_OUTPUT_XML:
368  return nft_data_reg_value_snprintf_xml(buf, size,
369  reg, flags);
370  case NFT_OUTPUT_JSON:
371  return nft_data_reg_value_snprintf_json(buf, size,
372  reg, flags);
373  default:
374  break;
375  }
376  case DATA_VERDICT:
377  case DATA_CHAIN:
378  switch(output_format) {
379  case NFT_OUTPUT_DEFAULT:
380  return nft_data_reg_verdict_snprintf_def(buf, size,
381  reg, flags);
382  case NFT_OUTPUT_XML:
383  return nft_data_reg_verdict_snprintf_xml(buf, size,
384  reg, flags);
385  case NFT_OUTPUT_JSON:
386  return nft_data_reg_verdict_snprintf_json(buf, size,
387  reg, flags);
388  default:
389  break;
390  }
391  default:
392  break;
393  }
394 
395  return -1;
396 }
397 
398 static int nft_data_parse_cb(const struct nlattr *attr, void *data)
399 {
400  const struct nlattr **tb = data;
401  int type = mnl_attr_get_type(attr);
402 
403  if (mnl_attr_type_valid(attr, NFTA_DATA_MAX) < 0)
404  return MNL_CB_OK;
405 
406  switch(type) {
407  case NFTA_DATA_VALUE:
408  if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0) {
409  perror("mnl_attr_validate");
410  return MNL_CB_ERROR;
411  }
412  break;
413  case NFTA_DATA_VERDICT:
414  if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) {
415  perror("mnl_attr_validate");
416  return MNL_CB_ERROR;
417  }
418  break;
419  }
420  tb[type] = attr;
421  return MNL_CB_OK;
422 }
423 
424 static int nft_verdict_parse_cb(const struct nlattr *attr, void *data)
425 {
426  const struct nlattr **tb = data;
427  int type = mnl_attr_get_type(attr);
428 
429  if (mnl_attr_type_valid(attr, NFTA_VERDICT_MAX) < 0)
430  return MNL_CB_OK;
431 
432  switch(type) {
433  case NFTA_VERDICT_CODE:
434  if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
435  perror("mnl_attr_validate");
436  return MNL_CB_ERROR;
437  }
438  break;
439  case NFTA_VERDICT_CHAIN:
440  if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0) {
441  perror("mnl_attr_validate");
442  return MNL_CB_ERROR;
443  }
444  break;
445  }
446  tb[type] = attr;
447  return MNL_CB_OK;
448 }
449 
450 static int
451 nft_parse_verdict(union nft_data_reg *data, const struct nlattr *attr, int *type)
452 {
453  struct nlattr *tb[NFTA_VERDICT_MAX+1];
454 
455  if (mnl_attr_parse_nested(attr, nft_verdict_parse_cb, tb) < 0) {
456  perror("mnl_attr_parse_nested");
457  return -1;
458  }
459 
460  if (!tb[NFTA_VERDICT_CODE])
461  return -1;
462 
463  data->verdict = ntohl(mnl_attr_get_u32(tb[NFTA_VERDICT_CODE]));
464 
465  switch(data->verdict) {
466  case NF_ACCEPT:
467  case NF_DROP:
468  case NF_QUEUE:
469  case NFT_CONTINUE:
470  case NFT_BREAK:
471  case NFT_RETURN:
472  if (type)
473  *type = DATA_VERDICT;
474  data->len = sizeof(data->verdict);
475  break;
476  case NFT_JUMP:
477  case NFT_GOTO:
478  if (!tb[NFTA_VERDICT_CHAIN])
479  return -1;
480 
481  data->chain = strdup(mnl_attr_get_str(tb[NFTA_VERDICT_CHAIN]));
482  if (type)
483  *type = DATA_CHAIN;
484  break;
485  default:
486  return -1;
487  }
488 
489  return 0;
490 }
491 
492 static int
493 __nft_parse_data(union nft_data_reg *data, const struct nlattr *attr)
494 {
495  void *orig = mnl_attr_get_payload(attr);
496  uint32_t data_len = mnl_attr_get_payload_len(attr);
497 
498  if (data_len == 0)
499  return -1;
500 
501  if (data_len > sizeof(uint32_t) * 4)
502  return -1;
503 
504  memcpy(data->val, orig, data_len);
505  data->len = data_len;
506 
507  return 0;
508 }
509 
510 int nft_parse_data(union nft_data_reg *data, struct nlattr *attr, int *type)
511 {
512  struct nlattr *tb[NFTA_DATA_MAX+1] = {};
513  int ret = 0;
514 
515  if (mnl_attr_parse_nested(attr, nft_data_parse_cb, tb) < 0) {
516  perror("mnl_attr_parse_nested");
517  return -1;
518  }
519  if (tb[NFTA_DATA_VALUE]) {
520  if (type)
521  *type = DATA_VALUE;
522 
523  ret = __nft_parse_data(data, tb[NFTA_DATA_VALUE]);
524  if (ret < 0)
525  return ret;
526  }
527  if (tb[NFTA_DATA_VERDICT])
528  ret = nft_parse_verdict(data, tb[NFTA_DATA_VERDICT], type);
529 
530  return ret;
531 }
532