| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Add examples for ct expectations.
Add, list and delete ct expectation objects from specified table.
Add expectation object to rule.
Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
We have better json support in libnftables these days.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
./nft-rule-ct-timeout-add ip filter input some-name
./nft-rule-get ip filter
ip filter input 4
[ objref type 7 name some-name ]
nft list ruleset
...
chain input {
ct timeout set "some-name"
}
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add, list and delete ct timeout objects from specified table
Usage e.g.:
% ./nft-ct-timeout-add ip filter some-name tcp
% ./nft-ct-timeout-get ip filter
table filter name some-name use 0 [ ct_timeout family 2 protocol 6
policy = {ESTABLISHED = 111,CLOSE_WAIT = 14, CLOSE = 16}]
% ./nft-ct-timeout-del ip filter some-name
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
./nft-rule-ct-helper-add ip filter input sip-5060
./nft-rule-get ip filter
ip filter input 7 6
[ objref type 3 name sip-5060 ]
nft list ruleset
...
chain input {
ct helper set "sip-5060"
}
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Fixes: 62d6fff78b2c ("src: remove set/get array api")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the specified table.
Examples:
% ./nft-ct-helper-get ip filter
<nothing>
% ./nft-ct-helper-add ip filter sip-5060 sip udp
% ./nft-ct-helper-get ip filter
table filter name sip-5060 use 0 [ ct_helper name sip family 2 protocol 17 ]
% ./nft-ct-helper-del ip filter sip-5060
% ./nft-ct-helper-get ip filter
<nothing>
Signed-off-by: Yang Zheng <tomsun.0.7@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch allows you to add, delete and list flowtable through the
existing netlink interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This is only required by Linux kernel <= 3.16.x, that's too old and at
that time nft was very limited in term of features, so let's remove this
check from example files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==11688== HEAP SUMMARY:
==11688== in use at exit: 40 bytes in 1 blocks
==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
==11688==
==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11688== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11688== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441)
==11688== by 0x40133B: main (nft-chain-add.c:103)
==11688==
==11688== LEAK SUMMARY:
==11688== definitely lost: 40 bytes in 1 blocks
==11688== indirectly lost: 0 bytes in 0 blocks
==11688== possibly lost: 0 bytes in 0 blocks
==11688== still reachable: 0 bytes in 0 blocks
==11688== suppressed: 0 bytes in 0 blocks
==11831== HEAP SUMMARY:
==11831== in use at exit: 40 bytes in 1 blocks
==11831== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
==11831==
==11831== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11831== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11831== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441)
==11831== by 0x401154: main (nft-chain-del.c:79)
==11831==
==11831== LEAK SUMMARY:
==11831== definitely lost: 40 bytes in 1 blocks
==11831== indirectly lost: 0 bytes in 0 blocks
==11831== possibly lost: 0 bytes in 0 blocks
==11831== still reachable: 0 bytes in 0 blocks
==11831== suppressed: 0 bytes in 0 blocks
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
use nftnl_batch_begin() and nftnl_batch_end() instead, to keep examples
consistent and avoid code duplication.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch allows you to add, to delete and to get stateful objects,
this support two object types: counter and quota.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This example is broken since batch logic in missing. Update it to add
element of 2 bytes so this works with nft-set-add.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch updates the existing example to add a set that stores port
numbers. In order to interoperate with the nft tool, we use the datatype
numbers defined there.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Place an example to add a map in the libnftnl tree.
Reported-by: Khawar Shehzad <shehzad.khawar@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Update Arturo Borrero Gonzalez email address.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the libmxml integration in libnftnl, since we have
JSON in place and there is no need to support two at the same time.
The JSON support is much better, for example libjansson has a better
parsing error reporting.
Moreover, libmxml 2.10 breaks the integration with libnftnl somehow,
as reported in Debian bug #83870 [0].
Also, the XML support inside libnftnl has never been in good shape, with
several tiny inconsitencies.
[0] https://bugs.debian.org/838370
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Improve nft-rule-get example to demonstrate selective rule dumping when
table and / or chain attributes are set in a rule dump request.
Usage is now as follows:
nft-rule-get <family> [<table> <chain>] [<xml|json>]
Signed-off-by: Josue Alvarez <jalvarez@toulouse.viveris.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Convert this example not to use the deprecated aliases anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Tell the kernel to load the necessary modules by adding
the NLM_F_CREATE flag.
Signed-off-by: Daniel Wagner <daniel.wagner@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
examples/nft-table-upd does not work currently since NFT_MSG_NEWTABLE
needs to use batching mode of netlink message delivery.
This patch adds batching to nft-table-upd example.
While here, also add support for netdev family.
Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The function names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The constant names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use a shorter name for this, morever this can be used from sets so the _rule_
is misleading.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
So we can use the nft_* prefix anytime soon for our upcoming higher level
library.
After this patch, the nft_* symbols become an alias of the nftnl_* symbols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This function releases the ruleset objects attached in the parse context
structure, ie. struct nft_parse_ctx.
Moreover, this patch updates the nft_parse_ruleset_file to use it.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this example, we can parse the objects in the ruleset and create the
netlink message with the action associated. For example:
- Flush ruleset
- Add, delete or flush tables/chains
- Add, delete sets
- Add, delete set elements
- Add, delete, replace or prepend rules
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The libmnl helper returns a pointer where to start putting the rule data.
Reported-by: Ian Bishop <ian@pace7.com>
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=983
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We should point to the batch buffer as returned by the libmnl helper.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Batching is needed in current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Let's create a single code example with XML/JSON support.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
| |
Let's add support for current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Merge the two examples in just one. An input argument choose the format to use.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The generation object currently only contains the uint32_t that
indicates the generation ID. I could have just add the API to return
the uint32_t ID instead, but I think this API is easier to extend
without adding new APIs.
We can probably include meaningful statistics in the generation
message in the future without much hassle.
This patch also extends examples/nft-events.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add batching support so this code example works with current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This new function parses the input arguments and generates the nft_table.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Adds batching support to this code example, so it works with current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This fucntion parses the command line options and creates the nft_table object.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add batching support to operate with recent kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Merge the two examples in one. An input argument choose the format to use.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add batching support to operate with current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Merge the two examples in one. Use an input argument to choose the
format to parse.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Chains are included in the batch since 3.16. Add support to delete
chains dependending on the available interface.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This function parses the command line options and creates the nft_chain
object.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Chains are included in the batch since 3.16. Add support for adding
the chains dependending on the available interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This function parses the command line options and it creates the
nft_chain object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
It uses the existing nfnl batching approach using the generic mnl
netlink message batching infrastructure.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
# ./nft-events xml
<event><type>new</type><chain><name>xxx</name><handle>9</handle><bytes>0</bytes><packets>0</packets><table>test</table><family>ip</family></chain></event>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
