summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/libnftables/rule.h3
-rw-r--r--include/linux/netfilter/nf_tables.h6
-rw-r--r--src/libnftables.map2
-rw-r--r--src/rule.c36
4 files changed, 45 insertions, 2 deletions
diff --git a/include/libnftables/rule.h b/include/libnftables/rule.h
index 2cd1bf3..129dd29 100644
--- a/include/libnftables/rule.h
+++ b/include/libnftables/rule.h
@@ -18,15 +18,18 @@ enum {
NFT_RULE_ATTR_TABLE,
NFT_RULE_ATTR_CHAIN,
NFT_RULE_ATTR_HANDLE,
+ NFT_RULE_ATTR_FLAGS,
};
void nft_rule_attr_set(struct nft_rule *r, uint16_t attr, void *data);
+void nft_rule_attr_set_u32(struct nft_rule *r, uint16_t attr, uint32_t val);
void nft_rule_attr_set_u64(struct nft_rule *r, uint16_t attr, uint64_t val);
void nft_rule_attr_set_str(struct nft_rule *r, uint16_t attr, char *str);
void *nft_rule_attr_get(struct nft_rule *r, uint16_t attr);
const char *nft_rule_attr_get_str(struct nft_rule *r, uint16_t attr);
uint8_t nft_rule_attr_get_u8(struct nft_rule *r, uint16_t attr);
+uint32_t nft_rule_attr_get_u32(struct nft_rule *r, uint16_t attr);
uint64_t nft_rule_attr_get_u64(struct nft_rule *r, uint16_t attr);
void nft_rule_add_expr(struct nft_rule *r, struct nft_rule_expr *expr);
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index a7e84e4..c07d1d3 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -86,12 +86,18 @@ enum nft_chain_attributes {
};
#define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1)
+enum {
+ NFT_RULE_F_COMMIT = (1 << 0),
+ NFT_RULE_F_MASK = NFT_RULE_F_COMMIT,
+};
+
enum nft_rule_attributes {
NFTA_RULE_UNSPEC,
NFTA_RULE_TABLE,
NFTA_RULE_CHAIN,
NFTA_RULE_HANDLE,
NFTA_RULE_EXPRESSIONS,
+ NFTA_RULE_FLAGS,
__NFTA_RULE_MAX
};
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
diff --git a/src/libnftables.map b/src/libnftables.map
index dbbe243..6fc316f 100644
--- a/src/libnftables.map
+++ b/src/libnftables.map
@@ -43,10 +43,12 @@ global:
nft_rule_alloc;
nft_rule_free;
nft_rule_attr_set;
+ nft_rule_attr_set_u32;
nft_rule_attr_set_u64;
nft_rule_attr_set_str;
nft_rule_attr_get;
nft_rule_attr_get_u8;
+ nft_rule_attr_get_u32;
nft_rule_attr_get_u64;
nft_rule_attr_get_str;
nft_rule_snprintf;
diff --git a/src/rule.c b/src/rule.c
index f87600d..4d61fbd 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -34,6 +34,7 @@ struct nft_rule {
char *table;
char *chain;
uint8_t family;
+ uint32_t rule_flags;
uint64_t handle;
struct list_head expr_list;
@@ -82,6 +83,9 @@ void nft_rule_attr_set(struct nft_rule *r, uint16_t attr, void *data)
case NFT_RULE_ATTR_HANDLE:
r->handle = *((uint64_t *)data);
break;
+ case NFT_RULE_ATTR_FLAGS:
+ r->rule_flags = *((uint32_t *)data);
+ break;
default:
return;
}
@@ -89,6 +93,12 @@ void nft_rule_attr_set(struct nft_rule *r, uint16_t attr, void *data)
}
EXPORT_SYMBOL(nft_rule_attr_set);
+void nft_rule_attr_set_u32(struct nft_rule *r, uint16_t attr, uint32_t val)
+{
+ nft_rule_attr_set(r, attr, &val);
+}
+EXPORT_SYMBOL(nft_rule_attr_set_u32);
+
void nft_rule_attr_set_u64(struct nft_rule *r, uint16_t attr, uint64_t val)
{
nft_rule_attr_set(r, attr, &val);
@@ -127,6 +137,12 @@ void *nft_rule_attr_get(struct nft_rule *r, uint16_t attr)
else
return NULL;
break;
+ case NFT_RULE_ATTR_FLAGS:
+ if (r->flags & (1 << NFT_RULE_ATTR_FLAGS))
+ return &r->rule_flags;
+ else
+ return NULL;
+ break;
default:
return NULL;
}
@@ -139,6 +155,13 @@ const char *nft_rule_attr_get_str(struct nft_rule *r, uint16_t attr)
}
EXPORT_SYMBOL(nft_rule_attr_get_str);
+uint32_t nft_rule_attr_get_u32(struct nft_rule *r, uint16_t attr)
+{
+ uint32_t val = *((uint32_t *)nft_rule_attr_get(r, attr));
+ return val;
+}
+EXPORT_SYMBOL(nft_rule_attr_get_u64);
+
uint64_t nft_rule_attr_get_u64(struct nft_rule *r, uint16_t attr)
{
uint64_t val = *((uint64_t *)nft_rule_attr_get(r, attr));
@@ -185,6 +208,8 @@ void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *r)
mnl_attr_put_strz(nlh, NFTA_RULE_CHAIN, r->chain);
if (r->flags & (1 << NFT_RULE_ATTR_HANDLE))
mnl_attr_put_u64(nlh, NFTA_RULE_HANDLE, htobe64(r->handle));
+ if (r->flags & (1 << NFT_RULE_ATTR_FLAGS))
+ mnl_attr_put_u32(nlh, NFTA_RULE_FLAGS, htonl(r->rule_flags));
nest = mnl_attr_nest_start(nlh, NFTA_RULE_EXPRESSIONS);
list_for_each_entry(expr, &r->expr_list, head) {
@@ -222,6 +247,12 @@ static int nft_rule_parse_attr_cb(const struct nlattr *attr, void *data)
return MNL_CB_ERROR;
}
break;
+ case NFTA_RULE_FLAGS:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
+ perror("mnl_attr_validate");
+ return MNL_CB_ERROR;
+ }
+ break;
}
tb[type] = attr;
@@ -327,9 +358,10 @@ int nft_rule_snprintf(char *buf, size_t size, struct nft_rule *r,
struct nft_rule_expr *expr;
int len = size, offset = 0;
- ret = snprintf(buf, size, "family=%u table=%s chain=%s handle=%llu ",
+ ret = snprintf(buf, size, "family=%u table=%s chain=%s handle=%llu "
+ "flags=%x ",
r->family, r->table, r->chain,
- (unsigned long long)r->handle);
+ (unsigned long long)r->handle, r->rule_flags);
SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
list_for_each_entry(expr, &r->expr_list, head) {