summaryrefslogtreecommitdiffstats
path: root/examples
Commit message (Collapse)AuthorAgeFilesLines
* examples: add support for NF_PROTO_INET familyJose M. Guisado Gomez2020-07-2726-25/+77
| | | | | | | | Add missing support for "inet" family for a handful of examples where applicable. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: unbreak nft-set-elem-delPablo Neira Ayuso2020-07-241-8/+24
| | | | | | | This code is missing the batch netlink routines. There was another bug, the set element key size was not correct. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Replace use of deprecated symbolsPhil Sutter2019-12-0421-43/+44
| | | | | | | | | | | | | Do not use unqualified setters to avoid the warnings. Pass a (false) zero length value to nftnl_flowtable_set_data() when assigning to NFTNL_FLOWTABLE_DEVICES as the length value is unused and not even usable. Maybe one should introduce a dedicated nftnl_flowtable_set_devices() at a later point. Fixes: 7349a70634fa0 ("Deprecate untyped data setters") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* examples: add ct expectation examplesSt├ęphane Veyret2019-06-195-0/+600
| | | | | | | | | | Add examples for ct expectations. Add, list and delete ct expectation objects from specified table. Add expectation object to rule. Signed-off-by: St├ęphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove json supportPablo Neira Ayuso2018-10-1517-1222/+11
| | | | | | We have better json support in libnftables these days. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove cttimeout.h leftoverPablo Neira Ayuso2018-08-141-1/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Add test for assigning timeout objects via ruleHarsha Sharma2018-08-132-1/+159
| | | | | | | | | | | | | | | | | | Usage: ./nft-rule-ct-timeout-add ip filter input some-name ./nft-rule-get ip filter ip filter input 4 [ objref type 7 name some-name ] nft list ruleset ... chain input { ct timeout set "some-name" } Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-ct-timeout-{add,del,get}Harsha Sharma2018-08-134-0/+437
| | | | | | | | | | | | | | | Add, list and delete ct timeout objects from specified table Usage e.g.: % ./nft-ct-timeout-add ip filter some-name tcp % ./nft-ct-timeout-get ip filter table filter name some-name use 0 [ ct_timeout family 2 protocol 6 policy = {ESTABLISHED = 111,CLOSE_WAIT = 14, CLOSE = 16}] % ./nft-ct-timeout-del ip filter some-name Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Add test for assigning helper objects via ruleHarsha Sharma2018-05-082-1/+159
| | | | | | | | | | | | | | | | | | Usage: ./nft-rule-ct-helper-add ip filter input sip-5060 ./nft-rule-get ip filter ip filter input 7 6 [ objref type 3 name sip-5060 ] nft list ruleset ... chain input { ct helper set "sip-5060" } Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-flowtable-add: do not use nftnl_flowtable_set_array()Pablo Neira Ayuso2018-03-201-1/+1
| | | | | Fixes: 62d6fff78b2c ("src: remove set/get array api") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-ct-helper-{add,get,del}Yang Zheng2018-03-204-1/+436
| | | | | | | | | | | | | | | | | | nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the specified table. Examples: % ./nft-ct-helper-get ip filter <nothing> % ./nft-ct-helper-add ip filter sip-5060 sip udp % ./nft-ct-helper-get ip filter table filter name sip-5060 use 0 [ ct_helper name sip family 2 protocol 17 ] % ./nft-ct-helper-del ip filter sip-5060 % ./nft-ct-helper-get ip filter <nothing> Signed-off-by: Yang Zheng <tomsun.0.7@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flowtable supportPablo Neira Ayuso2018-03-054-0/+391
| | | | | | | This patch allows you to add, delete and list flowtable through the existing netlink interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-del: fix set deletionPablo Neira Ayuso2018-02-141-9/+24
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: do not call nftnl_batch_is_supported()Pablo Neira Ayuso2018-02-1414-207/+69
| | | | | | | | This is only required by Linux kernel <= 3.16.x, that's too old and at that time nft was very limited in term of features, so let's remove this check from example files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Fix memory leaks detected by ValgrindShyam Saini2017-09-043-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ==11688== HEAP SUMMARY: ==11688== in use at exit: 40 bytes in 1 blocks ==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated ==11688== ==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11688== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11688== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441) ==11688== by 0x40133B: main (nft-chain-add.c:103) ==11688== ==11688== LEAK SUMMARY: ==11688== definitely lost: 40 bytes in 1 blocks ==11688== indirectly lost: 0 bytes in 0 blocks ==11688== possibly lost: 0 bytes in 0 blocks ==11688== still reachable: 0 bytes in 0 blocks ==11688== suppressed: 0 bytes in 0 blocks ==11831== HEAP SUMMARY: ==11831== in use at exit: 40 bytes in 1 blocks ==11831== total heap usage: 7 allocs, 6 frees, 220 bytes allocated ==11831== ==11831== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11831== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11831== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441) ==11831== by 0x401154: main (nft-chain-del.c:79) ==11831== ==11831== LEAK SUMMARY: ==11831== definitely lost: 40 bytes in 1 blocks ==11831== indirectly lost: 0 bytes in 0 blocks ==11831== possibly lost: 0 bytes in 0 blocks ==11831== still reachable: 0 bytes in 0 blocks ==11831== suppressed: 0 bytes in 0 blocks Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Remove the use of nftnl_mnl_batch_put()Elise Lennion2017-01-164-92/+60
| | | | | | | | use nftnl_batch_begin() and nftnl_batch_end() instead, to keep examples consistent and avoid code duplication. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful objectsPablo Neira Ayuso2016-12-094-0/+412
| | | | | | | This patch allows you to add, to delete and to get stateful objects, this support two object types: counter and quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-elem-add: add missing batch logicPablo Neira Ayuso2016-11-301-5/+21
| | | | | | | This example is broken since batch logic in missing. Update it to add element of 2 bytes so this works with nft-set-add. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-add: update it to add a set that stores port numbersPablo Neira Ayuso2016-11-301-2/+3
| | | | | | | | This patch updates the existing example to add a set that stores port numbers. In order to interoperate with the nft tool, we use the datatype numbers defined there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-map-addPablo Neira Ayuso2016-11-302-0/+161
| | | | | | | Place an example to add a map in the libnftnl tree. Reported-by: Khawar Shehzad <shehzad.khawar@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: update Arturo Borrero Gonzalez emailArturo Borrero Gonzalez2016-10-175-5/+5
| | | | | | | Update Arturo Borrero Gonzalez email address. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove libmxml supportArturo Borrero2016-09-2312-59/+27
| | | | | | | | | | | | | | | | | | | This patch removes the libmxml integration in libnftnl, since we have JSON in place and there is no need to support two at the same time. The JSON support is much better, for example libjansson has a better parsing error reporting. Moreover, libmxml 2.10 breaks the integration with libnftnl somehow, as reported in Debian bug #83870 [0]. Also, the XML support inside libnftnl has never been in good shape, with several tiny inconsitencies. [0] https://bugs.debian.org/838370 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-get: selective rule dumpingJosue Alvarez2016-07-221-13/+45
| | | | | | | | | | | | Improve nft-rule-get example to demonstrate selective rule dumping when table and / or chain attributes are set in a rule dump request. Usage is now as follows: nft-rule-get <family> [<table> <chain>] [<xml|json>] Signed-off-by: Josue Alvarez <jalvarez@toulouse.viveris.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-upd: don't use deprecated aliasesPablo Neira Ayuso2016-06-071-10/+10
| | | | | | Convert this example not to use the deprecated aliases anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: load modules when adding chains or tablesDaniel Wagner2016-04-292-2/+2
| | | | | | | | Tell the kernel to load the necessary modules by adding the NLM_F_CREATE flag. Signed-off-by: Daniel Wagner <daniel.wagner@bmw-carit.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Fix nft-table-upd exampleVijay Subramanian2015-10-121-13/+41
| | | | | | | | | | | | examples/nft-table-upd does not work currently since NFT_MSG_NEWTABLE needs to use batching mode of netlink message delivery. This patch adds batching to nft-table-upd example. While here, also add support for netdev family. Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _attr_ infix in new nftnl_ definitionsPablo Neira Ayuso2015-09-0721-76/+76
| | | | | | | The function names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _ATTR_ infix in new nfntl_ definitionsPablo Neira Ayuso2015-09-0721-74/+74
| | | | | | | The constant names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename nftnl_rule_expr to nftnl_exprPablo Neira Ayuso2015-09-071-13/+13
| | | | | | | Use a shorter name for this, morever this can be used from sets so the _rule_ is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename existing functions to use the nftnl_ prefixPablo Neira Ayuso2015-09-0723-563/+563
| | | | | | | | | So we can use the nft_* prefix anytime soon for our upcoming higher level library. After this patch, the nft_* symbols become an alias of the nftnl_* symbols. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: add nft_ruleset_ctx_freeAlvaro Neira2015-03-131-7/+1
| | | | | | | | | | This function releases the ruleset objects attached in the parse context structure, ie. struct nft_parse_ctx. Moreover, this patch updates the nft_parse_ruleset_file to use it. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-ruleset-parse-fileAlvaro Neira2015-03-052-0/+490
| | | | | | | | | | | | | | With this example, we can parse the objects in the ruleset and create the netlink message with the action associated. For example: - Flush ruleset - Add, delete or flush tables/chains - Add, delete sets - Add, delete set elements - Add, delete, replace or prepend rules Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-parse-add: fix wrong buffer usage when building rule headerArturo Borrero2014-11-171-1/+2
| | | | | | | | | The libmnl helper returns a pointer where to start putting the rule data. Reported-by: Ian Bishop <ian@pace7.com> Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=983 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-add: fix wrong buffer pointerArturo Borrero2014-09-301-1/+2
| | | | | | | We should point to the batch buffer as returned by the libmnl helper. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-parse-add: add batching supportArturo Borrero2014-09-301-8/+35
| | | | | | | Batching is needed in current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-json-add: generalize parsing format supportArturo Borrero2014-09-292-29/+52
| | | | | | Let's create a single code example with XML/JSON support. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* examples: nft-rule-parse-add: add batching supportArturo Borrero2014-09-231-6/+29
| | | | | | | Let's add support for current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: merge nft-rule-{xml|json}-add.cArturo Borrero2014-09-233-156/+54
| | | | | | | Merge the two examples in just one. An input argument choose the format to use. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ruleset generation classPablo Neira Ayuso2014-09-191-0/+28
| | | | | | | | | | | | | | The generation object currently only contains the uint32_t that indicates the generation ID. I could have just add the API to return the uint32_t ID instead, but I think this API is easier to extend without adding new APIs. We can probably include meaningful statistics in the generation message in the future without much hassle. This patch also extends examples/nft-events.c. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-del: add batching supportArturo Borrero2014-08-241-6/+30
| | | | | | | Add batching support so this code example works with current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-del: add table_del_parse()Arturo Borrero2014-08-241-20/+35
| | | | | | | This new function parses the input arguments and generates the nft_table. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-add: add batching supportArturo Borrero2014-08-241-5/+28
| | | | | | | Adds batching support to this code example, so it works with current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-add: add table_add_parse()Arturo Borrero2014-08-241-20/+35
| | | | | | | This fucntion parses the command line options and creates the nft_table object. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-parse-add: add batching supportArturo Borrero2014-08-241-8/+32
| | | | | | | Add batching support to operate with recent kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: merge nft-table-{xml|json}-add.cArturo Borrero2014-08-243-159/+55
| | | | | | | Merge the two examples in one. An input argument choose the format to use. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-parse-add: add batching supportArturo Borrero2014-08-181-8/+29
| | | | | | | Add batching support to operate with current kernels. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: merge nft-chain-{xml|json}-add.cArturo Borrero2014-08-183-168/+61
| | | | | | | | Merge the two examples in one. Use an input argument to choose the format to parse. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-del: support new batching interfaceArturo Borrero2014-08-181-7/+30
| | | | | | | | Chains are included in the batch since 3.16. Add support to delete chains dependending on the available interface. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-del: add chain_del_parse()Arturo Borrero2014-08-181-6/+19
| | | | | | | | This function parses the command line options and creates the nft_chain object. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-chain-add: support new batching interfacePablo Neira Ayuso2014-08-141-5/+29
| | | | | | | Chains are included in the batch since 3.16. Add support for adding the chains dependending on the available interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>