examples: table: add example of dormant tables

Now we add a non-dormant table which is not active. We can add
chains and rules to it that would not have any effect. Once we
change the flag to wake it up, the rule-set becomes active.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

3 files changed, 115 insertions, 0 deletions

diff --git a/examples/Makefile.am b/examples/Makefile.am
index 9b9e345..aee95df 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -1,6 +1,7 @@
 include $(top_srcdir)/Make_global.am
 
 check_PROGRAMS = nft-table-add		\
+		 nft-table-upd		\
 		 nft-table-del		\
 		 nft-table-get		\
 		 nft-chain-add		\
@@ -15,6 +16,9 @@ check_PROGRAMS = nft-table-add		\
 nft_table_add_SOURCES = nft-table-add.c
 nft_table_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 
+nft_table_upd_SOURCES = nft-table-upd.c
+nft_table_upd_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
+
 nft_table_del_SOURCES = nft-table-del.c
 nft_table_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 
diff --git a/examples/nft-table-upd.c b/examples/nft-table-upd.c
new file mode 100644
index 0000000..6b938bf
--- /dev/null
+++ b/examples/nft-table-upd.c
@@ -0,0 +1,102 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
+ */
+
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#include <linux/netfilter/nf_tables.h>
+
+#include <libmnl/libmnl.h>
+#include <libnftables/table.h>
+
+int main(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq, family, flags;
+	struct nft_table *t = NULL;
+	int ret;
+
+	if (argc != 4) {
+		fprintf(stderr, "%s <family> <name> <state>\n", argv[0]);
+		exit(EXIT_FAILURE);
+	}
+
+	t = nft_table_alloc();
+	if (t == NULL) {
+		perror("OOM");
+		exit(EXIT_FAILURE);
+	}
+
+	seq = time(NULL);
+	if (strcmp(argv[1], "ip") == 0)
+		family = AF_INET;
+	else if (strcmp(argv[1], "ip6") == 0)
+		family = AF_INET6;
+	else if (strcmp(argv[1], "bridge") == 0)
+		family = AF_BRIDGE;
+	else {
+		fprintf(stderr, "Unknown family: ip, ip6, bridge\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (strcmp(argv[3], "active") == 0)
+		flags = 0;
+	else if (strcmp(argv[3], "dormant") == 0)
+		flags = NFT_TABLE_F_DORMANT;
+	else {
+		fprintf(stderr, "Unknown state: active, dormant\n");
+		exit(EXIT_FAILURE);
+	}
+
+	nft_table_attr_set(t, NFT_TABLE_ATTR_NAME, argv[2]);
+	nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FLAGS, flags);
+
+	nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, family,
+					NLM_F_ACK, seq);
+	nft_table_nlmsg_build_payload(nlh, t);
+	nft_table_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		perror("mnl_socket_open");
+		exit(EXIT_FAILURE);
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		perror("mnl_socket_bind");
+		exit(EXIT_FAILURE);
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		perror("error");
+		exit(EXIT_FAILURE);
+	}
+	mnl_socket_close(nl);
+
+	return EXIT_SUCCESS;
+}
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8cd19c8..28aa0ee 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -55,6 +55,15 @@ enum nft_hook_attributes {
 };
 #define NFTA_HOOK_MAX		(__NFTA_HOOK_MAX - 1)
 
+/**
+ * enum nft_table_flags - nf_tables table flags
+ *
+ * @NFT_TABLE_F_DORMANT: this table is not active
+ */
+enum nft_table_flags {
+	NFT_TABLE_F_DORMANT	= 0x1,
+};
+
 enum nft_table_attributes {
 	NFTA_TABLE_UNSPEC,
 	NFTA_TABLE_NAME,