summaryrefslogtreecommitdiffstats
path: root/examples
Commit message (Collapse)AuthorAgeFilesLines
* examples: nft-set-elem-add: add missing batch logicPablo Neira Ayuso2016-11-301-5/+21
| | | | | | | This example is broken since batch logic in missing. Update it to add element of 2 bytes so this works with nft-set-add. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-add: update it to add a set that stores port numbersPablo Neira Ayuso2016-11-301-2/+3
| | | | | | | | This patch updates the existing example to add a set that stores port numbers. In order to interoperate with the nft tool, we use the datatype numbers defined there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-map-addPablo Neira Ayuso2016-11-302-0/+161
| | | | | | | Place an example to add a map in the libnftnl tree. Reported-by: Khawar Shehzad <shehzad.khawar@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: update Arturo Borrero Gonzalez emailArturo Borrero Gonzalez2016-10-175-5/+5
| | | | | | | Update Arturo Borrero Gonzalez email address. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove libmxml supportArturo Borrero2016-09-2312-59/+27
| | | | | | | | | | | | | | | | | | | This patch removes the libmxml integration in libnftnl, since we have JSON in place and there is no need to support two at the same time. The JSON support is much better, for example libjansson has a better parsing error reporting. Moreover, libmxml 2.10 breaks the integration with libnftnl somehow, as reported in Debian bug #83870 [0]. Also, the XML support inside libnftnl has never been in good shape, with several tiny inconsitencies. [0] https://bugs.debian.org/838370 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-get: selective rule dumpingJosue Alvarez2016-07-221-13/+45
| | | | | | | | | | | | Improve nft-rule-get example to demonstrate selective rule dumping when table and / or chain attributes are set in a rule dump request. Usage is now as follows: nft-rule-get <family> [<table> <chain>] [<xml|json>] Signed-off-by: Josue Alvarez <jalvarez@toulouse.viveris.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-upd: don't use deprecated aliasesPablo Neira Ayuso2016-06-071-10/+10
| | | | | | Convert this example not to use the deprecated aliases anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: load modules when adding chains or tablesDaniel Wagner2016-04-292-2/+2
| | | | | | | | Tell the kernel to load the necessary modules by adding the NLM_F_CREATE flag. Signed-off-by: Daniel Wagner <daniel.wagner@bmw-carit.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Fix nft-table-upd exampleVijay Subramanian2015-10-121-13/+41
| | | | | | | | | | | | examples/nft-table-upd does not work currently since NFT_MSG_NEWTABLE needs to use batching mode of netlink message delivery. This patch adds batching to nft-table-upd example. While here, also add support for netdev family. Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _attr_ infix in new nftnl_ definitionsPablo Neira Ayuso2015-09-0721-76/+76
| | | | | | | The function names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _ATTR_ infix in new nfntl_ definitionsPablo Neira Ayuso2015-09-0721-74/+74
| | | | | | | The constant names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename nftnl_rule_expr to nftnl_exprPablo Neira Ayuso2015-09-071-13/+13
| | | | | | | Use a shorter name for this, morever this can be used from sets so the _rule_ is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename existing functions to use the nftnl_ prefixPablo Neira Ayuso2015-09-0723-563/+563
| | | | | | | | | So we can use the nft_* prefix anytime soon for our upcoming higher level library. After this patch, the nft_* symbols become an alias of the nftnl_* symbols. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: add nft_ruleset_ctx_freeAlvaro Neira2015-03-131-7/+1
| | | | | | | | | | This function releases the ruleset objects attached in the parse context structure, ie. struct nft_parse_ctx. Moreover, this patch updates the nft_parse_ruleset_file to use it. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-ruleset-parse-fileAlvaro Neira2015-03-052-0/+490
| | | | | | | | | | | | | | With this example, we can parse the objects in the ruleset and create the netlink message with the action associated. For example: - Flush ruleset - Add, delete or flush tables/chains - Add, delete sets - Add, delete set elements - Add, delete, replace or prepend rules Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-parse-add: fix wrong buffer usage when building rule headerArturo Borrero2014-11-171-1/+2
| | | | | | | | | The libmnl helper returns a pointer where to start putting the rule data. Reported-by: Ian Bishop <ian@pace7.com> Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=983 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-add: fix wrong buffer pointerArturo Borrero2014-09-301-1/+2
| | | | | | | We should point to the batch buffer as returned by the libmnl helper. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-parse-add: add batching supportArturo Borrero2014-09-301-8/+35
| | | | | | | Batching is needed in current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-json-add: generalize parsing format supportArturo Borrero2014-09-292-29/+52
| | | | | | Let's create a single code example with XML/JSON support. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* examples: nft-rule-parse-add: add batching supportArturo Borrero2014-09-231-6/+29
| | | | | | | Let's add support for current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: merge nft-rule-{xml|json}-add.cArturo Borrero2014-09-233-156/+54
| | | | | | | Merge the two examples in just one. An input argument choose the format to use. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ruleset generation classPablo Neira Ayuso2014-09-191-0/+28
| | | | | | | | | | | | | | The generation object currently only contains the uint32_t that indicates the generation ID. I could have just add the API to return the uint32_t ID instead, but I think this API is easier to extend without adding new APIs. We can probably include meaningful statistics in the generation message in the future without much hassle. This patch also extends examples/nft-events.c. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-del: add batching supportArturo Borrero2014-08-241-6/+30
| | | | | | | Add batching support so this code example works with current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-del: add table_del_parse()Arturo Borrero2014-08-241-20/+35
| | | | | | | This new function parses the input arguments and generates the nft_table. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-add: add batching supportArturo Borrero2014-08-241-5/+28
| | | | | | | Adds batching support to this code example, so it works with current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-add: add table_add_parse()Arturo Borrero2014-08-241-20/+35
| | | | | | | This fucntion parses the command line options and creates the nft_table object. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-parse-add: add batching supportArturo Borrero2014-08-241-8/+32
| | | | | | | Add batching support to operate with recent kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: merge nft-table-{xml|json}-add.cArturo Borrero2014-08-243-159/+55
| | | | | | | Merge the two examples in one. An input argument choose the format to use. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-parse-add: add batching supportArturo Borrero2014-08-181-8/+29
| | | | | | | Add batching support to operate with current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: merge nft-chain-{xml|json}-add.cArturo Borrero2014-08-183-168/+61
| | | | | | | | Merge the two examples in one. Use an input argument to choose the format to parse. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-del: support new batching interfaceArturo Borrero2014-08-181-7/+30
| | | | | | | | Chains are included in the batch since 3.16. Add support to delete chains dependending on the available interface. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-del: add chain_del_parse()Arturo Borrero2014-08-181-6/+19
| | | | | | | | This function parses the command line options and creates the nft_chain object. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-add: support new batching interfacePablo Neira Ayuso2014-08-141-5/+29
| | | | | | | Chains are included in the batch since 3.16. Add support for adding the chains dependending on the available interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-add: add chain_add_parse()Pablo Neira Ayuso2014-08-141-30/+43
| | | | | | | This function parses the command line options and it creates the nft_chain object. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-add: use batch infraestructureArturo Borrero2014-07-241-44/+84
| | | | | | | | It uses the existing nfnl batching approach using the generic mnl netlink message batching infrastructure. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-events: add option how to format the printed eventsPablo Neira Ayuso2014-04-261-19/+41
| | | | | | | # ./nft-events xml <event><type>new</type><chain><name>xxx</name><handle>9</handle><bytes>0</bytes><packets>0</packets><table>test</table><family>ip</family></chain></event> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-events: use new events wrappersArturo Borrero2014-04-261-15/+31
| | | | | | | Let's use the new event wrappers in the events example. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: complete nft-events exampleArturo Borrero2014-04-071-0/+60
| | | | | | | | Complete nft-events example by adding a basic set & set_elem event notification. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: remove nft-rule-insert from Makefile.amPablo Neira Ayuso2014-03-281-3/+0
| | | | | | This example doesn't exist anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-del: removed printf rule functionÁlvaro Neira Ayuso2014-03-081-4/+0
| | | | | | | | | | | | | Removed this code because with that we have a strange output. Example: we have a rule with handle 4 and we execute nft-rule-del ip filter input 4 Output: unknown filter input 4 0 Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-insert: fix and merge it to nft-rule-addÁlvaro Neira Ayuso2014-03-083-208/+12
| | | | | | | | Merged the example for inserting rules and fixed for using the correct header. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-del: fix missing batching headersÁlvaro Neira Ayuso2014-03-081-4/+39
| | | | | | | | | Fix the example for deleting rules. Before this patch, the program tried to delete the rule without using the correct header. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: check if netlink parsing failsArturo Borrero2014-02-271-1/+2
| | | | | | | | We have to check if mnl_attr_parse() returns an error, which means that it failed to validate and retrieve the attributes. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* example: nft-rule-add: simplify examplePablo Neira Ayuso2014-02-271-57/+29
| | | | | | The nft_mnl_batch_talk() is overly complicated for a simple example that just adds one single rule. Simplify this to prepare the merge of nft-rule-insert, which looks very similar.
* Merge branch 'master' into next-3.14Pablo Neira Ayuso2014-02-0327-189/+283
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch includes changes to adapt this branch to the library rename that happened in the master branch. Conflicts: src/Makefile.am src/expr/cmp.c src/expr/ct.c src/expr/data_reg.c src/expr/meta.c tests/jsonfiles/01-table.json tests/jsonfiles/02-table.json tests/jsonfiles/64-ruleset.json tests/xmlfiles/01-table.xml tests/xmlfiles/02-table.xml
| * rename library to libnftnllibnftnl-1.0.0Pablo Neira Ayuso2014-01-2026-59/+59
| | | | | | | | | | | | We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: new error reporting approach for XML/JSON parsersÁlvaro Neira Ayuso2014-01-067-14/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | I have added a new structure for reporting some errors in parser that we can't cover with errno. In this patch, we have three errors that we can't cover with errno: NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input NFT_PARSE_EMISSINGNODE : Missing node in our input NFT_PARSE_EBADTYPE : Wrong type value in a node Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * examples: nft-rule-add: use existing batch infrastructurePablo Neira Ayuso2013-12-101-110/+147
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reworks the existing example to add the rule: nft add rule ip filter input tcp dport 22 counter It uses the existing nfnl batching approach using the generic mnl netlink message batching infrastructure. It also removed the code that uses xtables compat code. Based on original patch by Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | examples: add nft-ruleset-getArturo Borrero2014-01-042-0/+393
| | | | | | | | | | | | | | | | | | | | This example prints the ruleset, using the ruleset API of nftables. The kernel patch c9c8e48 ("netfilter: nf_tables: dump sets in all existing families") is required. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | examples: nft-set-get: retrieve all sets via unspecArturo Borrero2014-01-041-1/+3
|/ | | | | | | | Other nftables objects are allowed to be dumped with NFPROTO_UNSPEC. With sets is also possible since kernel patch c9c8e48 ("netfilter: nf_tables: dump sets in all existing families"). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>