use nf_tables and nf_tables compatibility interface

This patch adds the following utilities:

* xtables
* xtables-restore
* xtables-save
* xtables-config

They all use Patrick's nf_tables infrastructure plus my compatibility
layer.

xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.

Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.

The following options are also not yet implemented:

-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
    internal state of expressions while dumping it)

-R and -E (this requires adding this feature to nf_tables)

-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)

-IPv6 support.

But those are a matter of time to get them done.

A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.

However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 80 insertions, 0 deletions

diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
new file mode 100644
index 00000000..f746c902
--- /dev/null
+++ b/iptables/xtables-standalone.c
@@ -0,0 +1,80 @@
+/*
+ * Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au
+ *
+ * Based on the ipchains code by Paul Russell and Michael Neuling
+ *
+ * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
+ * 		    Paul 'Rusty' Russell <rusty@rustcorp.com.au>
+ * 		    Marc Boucher <marc+nf@mbsi.ca>
+ * 		    James Morris <jmorris@intercode.com.au>
+ * 		    Harald Welte <laforge@gnumonks.org>
+ * 		    Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ *	iptables -- IP firewall administration for kernels with
+ *	firewall table (aimed for the 2.3 kernels)
+ *
+ *	See the accompanying manual page iptables(8) for information
+ *	about proper usage of this program.
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License as published by
+ *	the Free Software Foundation; either version 2 of the License, or
+ *	(at your option) any later version.
+ *
+ *	This program is distributed in the hope that it will be useful,
+ *	but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *	GNU General Public License for more details.
+ *
+ *	You should have received a copy of the GNU General Public License
+ *	along with this program; if not, write to the Free Software
+ *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <iptables.h>
+#include "xtables-multi.h"
+#include "nft.h"
+
+int
+xtables_main(int argc, char *argv[])
+{
+	int ret;
+	char *table = "filter";
+	struct nft_handle h;
+
+	iptables_globals.program_name = "xtables";
+	ret = xtables_init_all(&xtables_globals, NFPROTO_IPV4);
+	if (ret < 0) {
+		fprintf(stderr, "%s/%s Failed to initialize xtables\n",
+				iptables_globals.program_name,
+				iptables_globals.program_version);
+				exit(1);
+	}
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
+	init_extensions();
+	init_extensions4();
+#endif
+
+	nft_init(&h);
+
+	ret = do_commandx(&h, argc, argv, &table);
+	if (!ret) {
+		if (errno == EINVAL) {
+			fprintf(stderr, "iptables: %s. "
+					"Run `dmesg' for more information.\n",
+				nft_strerror(errno));
+		} else {
+			fprintf(stderr, "iptables: %s.\n",
+				nft_strerror(errno));
+		}
+		if (errno == EAGAIN) {
+			exit(RESOURCE_PROBLEM);
+		}
+	}
+
+	exit(!ret);
+}