src: add flowtable support

This patch allows you to add, delete and list flowtable through the existing netlink interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2017-11-29 13:07:02 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-03-05 16:31:29 +0100
commit: eb58f53372e7475b65f6d7ee2b72507c4580007e (patch)
tree: a2203145a92d1db136b1746d91c56dc61448bb87 /include
parent: 848ddc6cbf338d16cc1a4510ee82073599204627 (diff)
3 files changed, 135 insertions, 0 deletions
diff --git a/include/libnftnl/Makefile.am b/include/libnftnl/Makefile.am
index 6dc7b2b..d846a57 100644
--- a/include/libnftnl/Makefile.am
+++ b/include/libnftnl/Makefile.am
@@ -6,6 +6,7 @@ pkginclude_HEADERS = batch.h		\
 		     rule.h		\
 		     expr.h		\
 		     set.h		\
+		     flowtable.h	\
 		     ruleset.h		\
 		     common.h		\
 		     udata.h		\
diff --git a/include/libnftnl/flowtable.h b/include/libnftnl/flowtable.h
new file mode 100644
index 0000000..0f8f325
--- /dev/null
+++ b/include/libnftnl/flowtable.h
@@ -0,0 +1,81 @@
+#ifndef _LIBNFTNL_FLOWTABLE_H_
+#define _LIBNFTNL_FLOWTABLE_H_
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <sys/types.h>
+
+#include <libnftnl/common.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct nftnl_flowtable;
+
+struct nftnl_flowtable *nftnl_flowtable_alloc(void);
+void nftnl_flowtable_free(const struct nftnl_flowtable *);
+
+enum nftnl_flowtable_attr {
+	NFTNL_FLOWTABLE_NAME	= 0,
+	NFTNL_FLOWTABLE_FAMILY,
+	NFTNL_FLOWTABLE_TABLE,
+	NFTNL_FLOWTABLE_HOOKNUM,
+	NFTNL_FLOWTABLE_PRIO	= 4,
+	NFTNL_FLOWTABLE_USE,
+	NFTNL_FLOWTABLE_DEVICES,
+	__NFTNL_FLOWTABLE_MAX
+};
+#define NFTNL_FLOWTABLE_MAX (__NFTNL_FLOWTABLE_MAX - 1)
+
+bool nftnl_flowtable_is_set(const struct nftnl_flowtable *c, uint16_t attr);
+void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr);
+void nftnl_flowtable_set(struct nftnl_flowtable *t, uint16_t attr, const void *data);
+int nftnl_flowtable_set_data(struct nftnl_flowtable *t, uint16_t attr,
+			     const void *data, uint32_t data_len);
+void nftnl_flowtable_set_u32(struct nftnl_flowtable *t, uint16_t attr, uint32_t data);
+void nftnl_flowtable_set_s32(struct nftnl_flowtable *t, uint16_t attr, int32_t data);
+int nftnl_flowtable_set_str(struct nftnl_flowtable *t, uint16_t attr, const char *str);
+void nftnl_flowtable_set_array(struct nftnl_flowtable *t, uint16_t attr, const char **data);
+
+const void *nftnl_flowtable_get(const struct nftnl_flowtable *c, uint16_t attr);
+const void *nftnl_flowtable_get_data(const struct nftnl_flowtable *c, uint16_t attr,
+				 uint32_t *data_len);
+const char *nftnl_flowtable_get_str(const struct nftnl_flowtable *c, uint16_t attr);
+uint32_t nftnl_flowtable_get_u32(const struct nftnl_flowtable *c, uint16_t attr);
+int32_t nftnl_flowtable_get_s32(const struct nftnl_flowtable *c, uint16_t attr);
+const char **nftnl_flowtable_get_array(const struct nftnl_flowtable *t, uint16_t attr);
+
+struct nlmsghdr;
+
+void nftnl_flowtable_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_flowtable *t);
+
+int nftnl_flowtable_parse(struct nftnl_flowtable *c, enum nftnl_parse_type type,
+		    const char *data, struct nftnl_parse_err *err);
+int nftnl_flowtable_parse_file(struct nftnl_flowtable *c, enum nftnl_parse_type type,
+			 FILE *fp, struct nftnl_parse_err *err);
+int nftnl_flowtable_snprintf(char *buf, size_t size, const struct nftnl_flowtable *t, uint32_t type, uint32_t flags);
+int nftnl_flowtable_fprintf(FILE *fp, const struct nftnl_flowtable *c, uint32_t type, uint32_t flags);
+
+#define nftnl_flowtable_nlmsg_build_hdr	nftnl_nlmsg_build_hdr
+int nftnl_flowtable_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_flowtable *t);
+
+struct nftnl_flowtable_list;
+
+struct nftnl_flowtable_list *nftnl_flowtable_list_alloc(void);
+void nftnl_flowtable_list_free(struct nftnl_flowtable_list *list);
+int nftnl_flowtable_list_is_empty(const struct nftnl_flowtable_list *list);
+void nftnl_flowtable_list_add(struct nftnl_flowtable *s,
+			      struct nftnl_flowtable_list *list);
+void nftnl_flowtable_list_add_tail(struct nftnl_flowtable *s,
+				   struct nftnl_flowtable_list *list);
+void nftnl_flowtable_list_del(struct nftnl_flowtable *s);
+int nftnl_flowtable_list_foreach(struct nftnl_flowtable_list *flowtable_list,
+				 int (*cb)(struct nftnl_flowtable *t, void *data), void *data);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* _LIBNFTNL_FLOWTABLE_H_ */
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 64d4a25..eb4b428 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -90,6 +90,9 @@ enum nft_verdicts {
  * @NFT_MSG_GETOBJ: get a stateful object (enum nft_obj_attributes)
  * @NFT_MSG_DELOBJ: delete a stateful object (enum nft_obj_attributes)
  * @NFT_MSG_GETOBJ_RESET: get and reset a stateful object (enum nft_obj_attributes)
+ * @NFT_MSG_NEWFLOWTABLE: add new flow table (enum nft_flowtable_attributes)
+ * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes)
+ * @NFT_MSG_DELFLOWTABLE: delete flow table (enum nft_flowtable_attributes)
  */
 enum nf_tables_msg_types {
 	NFT_MSG_NEWTABLE,
@@ -114,6 +117,9 @@ enum nf_tables_msg_types {
 	NFT_MSG_GETOBJ,
 	NFT_MSG_DELOBJ,
 	NFT_MSG_GETOBJ_RESET,
+	NFT_MSG_NEWFLOWTABLE,
+	NFT_MSG_GETFLOWTABLE,
+	NFT_MSG_DELFLOWTABLE,
 	NFT_MSG_MAX,
 };
 
@@ -1305,6 +1311,53 @@ enum nft_object_attributes {
 #define NFTA_OBJ_MAX		(__NFTA_OBJ_MAX - 1)
 
 /**
+ * enum nft_flowtable_attributes - nf_tables flow table netlink attributes
+ *
+ * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
+ * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
+ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
+ * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
+ */
+enum nft_flowtable_attributes {
+	NFTA_FLOWTABLE_UNSPEC,
+	NFTA_FLOWTABLE_TABLE,
+	NFTA_FLOWTABLE_NAME,
+	NFTA_FLOWTABLE_HOOK,
+	NFTA_FLOWTABLE_USE,
+	__NFTA_FLOWTABLE_MAX
+};
+#define NFTA_FLOWTABLE_MAX	(__NFTA_FLOWTABLE_MAX - 1)
+
+/**
+ * enum nft_flowtable_hook_attributes - nf_tables flow table hook netlink attributes
+ *
+ * @NFTA_FLOWTABLE_HOOK_NUM: netfilter hook number (NLA_U32)
+ * @NFTA_FLOWTABLE_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
+ * @NFTA_FLOWTABLE_HOOK_DEVS: input devices this flow table is bound to (NLA_NESTED)
+ */
+enum nft_flowtable_hook_attributes {
+	NFTA_FLOWTABLE_HOOK_UNSPEC,
+	NFTA_FLOWTABLE_HOOK_NUM,
+	NFTA_FLOWTABLE_HOOK_PRIORITY,
+	NFTA_FLOWTABLE_HOOK_DEVS,
+	__NFTA_FLOWTABLE_HOOK_MAX
+};
+#define NFTA_FLOWTABLE_HOOK_MAX	(__NFTA_FLOWTABLE_HOOK_MAX - 1)
+
+/**
+ * enum nft_device_attributes - nf_tables device netlink attributes
+ *
+ * @NFTA_DEVICE_NAME: name of this device (NLA_STRING)
+ */
+enum nft_devices_attributes {
+	NFTA_DEVICE_UNSPEC,
+	NFTA_DEVICE_NAME,
+	__NFTA_DEVICE_MAX
+};
+#define NFTA_DEVICE_MAX		(__NFTA_DEVICE_MAX - 1)
+
+
+/**
  * enum nft_trace_attributes - nf_tables trace netlink attributes
  *
  * @NFTA_TRACE_TABLE: name of the table (NLA_STRING)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2017-11-29 13:07:02 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-03-05 16:31:29 +0100
commit	eb58f53372e7475b65f6d7ee2b72507c4580007e (patch)
tree	a2203145a92d1db136b1746d91c56dc61448bb87 /include
parent	848ddc6cbf338d16cc1a4510ee82073599204627 (diff)