From afae1f841bc2c4b39a38fa97d271f3877d00bf3a Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 26 Jul 2013 13:05:15 +0200 Subject: nft: associate table configuration to handle via nft_init We need family dependent built-in table/chain configuration. This patch is a step forward making nft family independent in order to support arptables and ebtables compatibility layers. Signed-off-by: Giuseppe Longo Signed-off-by: Pablo Neira Ayuso --- iptables/nft.c | 35 ++++++++++------------------------- iptables/nft.h | 24 +++++++++++++++++++++++- iptables/xtables-config.c | 2 +- iptables/xtables-restore.c | 2 +- iptables/xtables-save.c | 2 +- iptables/xtables-standalone.c | 2 +- 6 files changed, 37 insertions(+), 30 deletions(-) (limited to 'iptables') diff --git a/iptables/nft.c b/iptables/nft.c index 9a857b9e..68fc1539 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -80,24 +80,7 @@ static int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, return 0; } -#define FILTER 0 -#define MANGLE 1 -#define RAW 2 -#define SECURITY 3 -#define NAT 4 -#define TABLES_MAX 5 - -struct builtin_chain { - const char *name; - const char *type; - uint32_t prio; - uint32_t hook; -}; - -static struct builtin_table { - const char *name; - struct builtin_chain chains[NF_INET_NUMHOOKS]; -} tables[TABLES_MAX] = { +struct builtin_table xtables_ipv4[TABLES_MAX] = { [RAW] = { .name = "raw", .chains = { @@ -305,20 +288,21 @@ nft_chain_builtin_add(struct nft_handle *h, struct builtin_table *table, } /* find if built-in table already exists */ -static struct builtin_table *nft_table_builtin_find(const char *table) +static struct builtin_table +*nft_table_builtin_find(struct nft_handle *h, const char *table) { int i; bool found = false; for (i=0; itables[i].name, table) != 0) continue; found = true; break; } - return found ? &tables[i] : NULL; + return found ? &h->tables[i] : NULL; } /* find if built-in chain already exists */ @@ -366,7 +350,7 @@ nft_chain_builtin_init(struct nft_handle *h, const char *table, int ret = 0; struct builtin_table *t; - t = nft_table_builtin_find(table); + t = nft_table_builtin_find(h, table); if (t == NULL) { ret = -1; goto out; @@ -389,7 +373,7 @@ static bool nft_chain_builtin(struct nft_chain *c) return nft_chain_attr_get(c, NFT_CHAIN_ATTR_HOOKNUM) != NULL; } -int nft_init(struct nft_handle *h) +int nft_init(struct nft_handle *h, struct builtin_table *t) { h->nl = mnl_socket_open(NETLINK_NETFILTER); if (h->nl == NULL) { @@ -402,6 +386,7 @@ int nft_init(struct nft_handle *h) return -1; } h->portid = mnl_socket_get_portid(h->nl); + h->tables = t; return 0; } @@ -440,7 +425,7 @@ int nft_table_set_dormant(struct nft_handle *h, const char *table) int ret = 0, i; struct builtin_table *t; - t = nft_table_builtin_find(table); + t = nft_table_builtin_find(h, table); if (t == NULL) { ret = -1; goto out; @@ -501,7 +486,7 @@ __nft_chain_set(struct nft_handle *h, const char *table, struct builtin_chain *_c; int ret; - _t = nft_table_builtin_find(table); + _t = nft_table_builtin_find(h, table); /* if this built-in table does not exists, create it */ if (_t != NULL) nft_table_builtin_add(h, _t, false); diff --git a/iptables/nft.h b/iptables/nft.h index 7a6351b7..f3317c92 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -4,6 +4,25 @@ #include "xshared.h" #include "nft-shared.h" +#define FILTER 0 +#define MANGLE 1 +#define RAW 2 +#define SECURITY 3 +#define NAT 4 +#define TABLES_MAX 5 + +struct builtin_chain { + const char *name; + const char *type; + uint32_t prio; + uint32_t hook; +}; + +struct builtin_table { + const char *name; + struct builtin_chain chains[NF_INET_NUMHOOKS]; +}; + struct nft_handle { int family; struct mnl_socket *nl; @@ -11,9 +30,12 @@ struct nft_handle { uint32_t seq; bool commit; struct nft_family_ops *ops; + struct builtin_table *tables; }; -int nft_init(struct nft_handle *h); +extern struct builtin_table xtables_ipv4[TABLES_MAX]; + +int nft_init(struct nft_handle *h, struct builtin_table *t); void nft_fini(struct nft_handle *h); /* diff --git a/iptables/xtables-config.c b/iptables/xtables-config.c index 515b18b1..b7cf6094 100644 --- a/iptables/xtables-config.c +++ b/iptables/xtables-config.c @@ -35,7 +35,7 @@ int xtables_config_main(int argc, char *argv[]) else filename = argv[1]; - if (nft_init(&h) < 0) { + if (nft_init(&h, xtables_ipv4) < 0) { fprintf(stderr, "Failed to initialize nft: %s\n", strerror(errno)); return EXIT_FAILURE; diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index 8469ba1a..608e189b 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -193,7 +193,7 @@ xtables_restore_main(int argc, char *argv[]) init_extensions4(); #endif - if (nft_init(&h) < 0) { + if (nft_init(&h, xtables_ipv4) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index 41ceaf51..db030901 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -96,7 +96,7 @@ xtables_save_main(int argc, char *argv[]) init_extensions(); init_extensions4(); #endif - if (nft_init(&h) < 0) { + if (nft_init(&h, xtables_ipv4) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c index 3f8b981f..9d5a6675 100644 --- a/iptables/xtables-standalone.c +++ b/iptables/xtables-standalone.c @@ -61,7 +61,7 @@ xtables_main(int argc, char *argv[]) init_extensions4(); #endif - if (nft_init(&h) < 0) { + if (nft_init(&h, xtables_ipv4) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, -- cgit v1.2.3