summaryrefslogtreecommitdiffstats
path: root/iptables/xtables-config.c
Commit message (Collapse)AuthorAgeFilesLines
* nft: associate table configuration to handle via nft_initGiuseppe Longo2013-12-301-1/+1
| | | | | | | | | We need family dependent built-in table/chain configuration. This patch is a step forward making nft family independent in order to support arptables and ebtables compatibility layers. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: do not proceed if nft_init failsPablo Neira Ayuso2013-12-301-1/+5
| | | | | | | Fix a crash if nft_init fails, it happens if nfnetlink support is not available in your Linux kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: don't call nft_init in nft_xtables_config_loadPablo Neira Ayuso2013-12-301-0/+2
| | | | | | Otherwise we keep initializing the handle over and over again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: load tables and chains based on /etc/xtables.confPablo Neira Ayuso2013-12-301-72/+3
| | | | | | | | | If /etc/xtables.conf is available, use the configuration there to autoload the xtables built-in table and chain so you can define custom configurations. Otherwise, rely on default common table/chain configuration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-config: priority has to be per-chain to supportPablo Neira Ayuso2013-12-301-1/+3
| | | | | | | To support NAT table chain configuration appropriately. Modify example configuration file as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* use nf_tables and nf_tables compatibility interfacePablo Neira Ayuso2013-12-301-0/+107
This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>