From 384958620abab397062b67fb2763e813b63f74f0 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 27 Sep 2012 19:12:53 +0200
Subject: use nf_tables and nf_tables compatibility interface

This patch adds the following utilities:

* xtables
* xtables-restore
* xtables-save
* xtables-config

They all use Patrick's nf_tables infrastructure plus my compatibility
layer.

xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.

Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.

The following options are also not yet implemented:

-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
    internal state of expressions while dumping it)

-R and -E (this requires adding this feature to nf_tables)

-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)

-IPv6 support.

But those are a matter of time to get them done.

A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.

However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/xtables-config.c | 107 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)
 create mode 100644 iptables/xtables-config.c

(limited to 'iptables/xtables-config.c')

diff --git a/iptables/xtables-config.c b/iptables/xtables-config.c
new file mode 100644
index 00000000..16918bf6
--- /dev/null
+++ b/iptables/xtables-config.c
@@ -0,0 +1,107 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This code has been sponsored by Sophos Astaro <http://www.sophos.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+#include <errno.h>
+
+#include <libnftables/table.h>
+#include <libnftables/chain.h>
+
+#include "xtables-multi.h"
+#include "xtables-config-parser.h"
+
+#include "nft.h"
+
+extern int xtables_config_parse(const char *filename,
+				struct nft_table_list *table_list,
+				struct nft_chain_list *chain_list);
+
+#define XTABLES_CONFIG_DEFAULT	"/etc/xtables.conf"
+
+int xtables_config_main(int argc, char *argv[])
+{
+	struct nft_table_list *table_list = nft_table_list_alloc();
+	struct nft_chain_list *chain_list = nft_chain_list_alloc();
+	struct nft_table_list_iter *titer;
+	struct nft_chain_list_iter *citer;
+	struct nft_table *table;
+	struct nft_chain *chain;
+	const char *filename = NULL;
+	struct nft_handle h;
+
+	if (argc > 2) {
+		fprintf(stderr, "Usage: %s [<config_file>]\n", argv[0]);
+		return EXIT_SUCCESS;
+	}
+	if (argc == 1)
+		filename = XTABLES_CONFIG_DEFAULT;
+	else
+		filename = argv[1];
+
+	if (xtables_config_parse(filename, table_list, chain_list) < 0) {
+		if (errno == ENOENT) {
+			fprintf(stderr, "configuration file `%s' does not "
+					"exists\n", filename);
+		} else {
+			fprintf(stderr, "Fatal error: %s\n", strerror(errno));
+		}
+		return EXIT_FAILURE;
+	}
+
+	nft_init(&h);
+
+	/* Stage 1) create tables */
+	titer = nft_table_list_iter_create(table_list);
+	while ((table = nft_table_list_iter_next(titer)) != NULL) {
+		if (nft_table_add(&h, table) < 0) {
+			if (errno == EEXIST) {
+				printf("table `%s' already exists, skipping\n",
+					(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME));
+			} else {
+				printf("table `%s' cannot be create, reason `%s'. Exitting\n",
+					(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME),
+					strerror(errno));
+				return EXIT_FAILURE;
+			}
+			continue;
+		}
+		printf("table `%s' has been created\n",
+			(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME));
+	}
+
+	/* Stage 2) create chains */
+	citer = nft_chain_list_iter_create(chain_list);
+	while ((chain = nft_chain_list_iter_next(citer)) != NULL) {
+		if (nft_chain_add(&h, chain) < 0) {
+			if (errno == EEXIST) {
+				printf("chain `%s' already exists in table `%s', skipping\n",
+					(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_NAME),
+					(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_TABLE));
+			} else {
+				printf("chain `%s' cannot be create, reason `%s'. Exitting\n",
+					(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_NAME),
+					strerror(errno));
+				return EXIT_FAILURE;
+			}
+			continue;
+		}
+
+		printf("chain `%s' in table `%s' has been created\n",
+			(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_NAME),
+			(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_TABLE));
+	}
+
+	return EXIT_SUCCESS;
+}
-- 
cgit v1.2.3