summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* rename library to libnftnllibnftnl-1.0.0Pablo Neira Ayuso2014-01-209-26/+26
| | | | | | We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add interface to parse from fileArturo Borrero2014-01-095-0/+12
| | | | | | | | This patch adds a new API to parse rule-set expressed in XML/JSON from a file. A new enum nft_parse_input type is added for this purpose. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: new error reporting approach for XML/JSON parsersÁlvaro Neira Ayuso2014-01-066-6/+23
| | | | | | | | | | | | | | I have added a new structure for reporting some errors in parser that we can't cover with errno. In this patch, we have three errors that we can't cover with errno: NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input NFT_PARSE_EMISSINGNODE : Missing node in our input NFT_PARSE_EBADTYPE : Wrong type value in a node Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update netlink.h to 3.13Tomasz Bursztyka2013-12-121-5/+84
| | | | | | | | Use kernel header from 3.13-rc upstream kernel, this includes documentation changes that were missing. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-rule-add: use existing batch infrastructurePablo Neira Ayuso2013-12-101-0/+5
| | | | | | | | | | | | | | This patch reworks the existing example to add the rule: nft add rule ip filter input tcp dport 22 counter It uses the existing nfnl batching approach using the generic mnl netlink message batching infrastructure. It also removed the code that uses xtables compat code. Based on original patch by Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-target: fix deprecation warningArturo Borrero2013-11-302-1/+20
| | | | | | | | | This fixes the following warning: In file included from nft-expr_target-test.c:19:0: /usr/include/linux/netfilter_ipv4/ipt_LOG.h:4:2: warning: #warning "Please update iptables, this file will be removed soon!" [-Wcpp] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate netlink build header functionPablo Neira Ayuso2013-11-245-5/+9
| | | | | | | | | Add new function nft_nlmsg_build_hdr which consolidates all existing functions to build headers per object. They basically look the same. This patch still provides aliases for consistency in the naming approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix possible clash in ifdef namespacePablo Neira Ayuso2013-11-247-20/+20
| | | | | | | | Use _LIBNFTABLES_ prefix to avoid possible clash with headers that are defined in other libraries that may be used by third party applications. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table/chain: add u8 setter and getter for family valuesAna Rey2013-11-202-0/+4
| | | | | | | These are needed to set the family value for chain and table. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix make distcheckPablo Neira Ayuso2013-11-181-1/+1
| | | | | | | | | | Fix missing files that were not included in the tarball that distcheck generates. This also includes AC_EXEEXT, otherwise configure complains about undefined CHECK_GCC_FVISIBILITY. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: unify parse and output typesÁlvaro Neira Ayuso2013-11-147-72/+34
| | | | | | | | | Unify parse and output types that are redundant to all existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT] are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML]. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve build errors in dependent programsJan Engelhardt2013-11-056-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | The headers do not compile standalone which may cause compilation problems to third party programs. $ gcc -x c -Wall -c *.h chain.h:62:35: error: unknown type name ‘size_t’ expr.h:40:39: error: unknown type name ‘size_t’ rule.h:60:34: error: unknown type name ‘size_t’ ruleset.h:20:1: error: unknown type name ‘bool’ ruleset.h:20:59: error: unknown type name ‘uint16_t’ ruleset.h:21:52: error: unknown type name ‘uint16_t’ ruleset.h:22:50: error: unknown type name ‘uint16_t’ ruleset.h:23:63: error: unknown type name ‘uint16_t’ ruleset.h:39:37: error: unknown type name ‘size_t’ ruleset.h:39:80: error: unknown type name ‘uint32_t’ ruleset.h:39:95: error: unknown type name ‘uint32_t’ set.h:40:33: error: unknown type name ‘size_t’ set.h:110:38: error: unknown type name ‘size_t’ table.h:50:35: error: unknown type name ‘size_t’ Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fprintf API functionsArturo Borrero2013-11-035-0/+12
| | | | | | | | | | | | | | Now it's possible to print directly from libnftables to a file or other stream. The caller must explicitly print the trailing '\n' in this call. The error reporting of fprintf (< 0) is respected. However, we have already print some information in case that the default (plain text) output is used, that output is mostly intended for debugging so it should not be a problem. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fix missing struct nlmsghdr without definitionPablo Neira Ayuso2013-10-274-0/+8
| | | | | | | | | The definition of this structure belongs to the scope of linux/netlink.h. Based on patch from Jan Engelhardt. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add rejectPablo Neira Ayuso2013-10-271-0/+5
| | | | | | | This patch adds support for the reject expression. Tested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: remove NFT_RULE_ATTR_FLAGSPablo Neira Ayuso2013-10-271-1/+0
| | | | | | | This is a leftover from the time we had per rule flags, obsoleted by the new rule batching approach. Kill it as it is unused. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: operational limit matchPhil Oester2013-10-222-3/+3
| | | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add low-level ruleset APIArturo Borrero2013-10-012-1/+47
| | | | | | | | This patch adds a low level ruleset API for libnftables. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: get rid of NFTA_RULE_FLAGSPablo Neira Ayuso2013-09-241-8/+0
| | | | | | | It has been removed after (netfilter: nf_tables: all rule updates are transactional). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace size_t by uint32_t in set/get interfacesPablo Neira Ayuso2013-09-192-4/+4
| | | | | | | | | | | | This patch breaks the ABI to shrink the size parameter from 8 to 4 bytes in x86_64. The maximum length of netlink attributes is 2 bytes, so 4 bytes as attribute payload length should be enough. After this patch, size_t is only used in the nft_*_snprintf interfaces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_delPablo Neira Ayuso2013-09-174-1/+4
| | | | | | | This allows us to delete object from the list, note that nft_chain_list_del already existed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Add json parser supportÁlvaro Neira Ayuso2013-08-281-0/+1
| | | | | | | Add function for parsing set in format JSON. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify nft_*_parse input dataArturo Borrero Gonzalez2013-08-224-5/+5
| | | | | | | Since the input string is not changing, let's make it constant. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Add json parser supportÁlvaro Neira Ayuso2013-08-201-0/+1
| | | | | | | Add function for parsing rules in JSON format Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nft_rule_expr_get_u16 and nft_rule_expr_set_u16Pablo Neira Ayuso2013-08-171-0/+2
| | | | | | Now required since log has two u16 fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: constify nft_set_elem_attr_get_strPablo Neira Ayuso2013-08-061-1/+1
| | | | | | | Should have been done in (ec75831 src: fully constify nft_*_get functions) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fully constify nft_*_get functionsPablo Neira Ayuso2013-08-062-2/+2
| | | | | | | | | We have several char * field that were not constify to avoid gcc compilation warnings when calling free. Since (99d2574 src: add xfree and use it), we can fully constify these objects fields without trouble. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Add json parser supportÁlvaro Neira Ayuso2013-07-311-0/+1
| | | | | | | Add function for parsing chains in format JSON. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add XML parsingArturo Borrero2013-07-261-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sets are now parsed, following this previous snprintf pattern: <set> <set_name>string</set_name> <set_table>table</set_table> <set_xml_version>int</set_xml_version> <set_flags>uint32_t</set_flags> <key_type>uint32_t</key_type> <key_len>size_t</key_len> <data_type>uint32_t</data_type> <data_len>size_t</data_len> <set_elem> <set_elem_flags>uint32_t</set_elem_flags> <set_elem_key> <data_reg type="value"> <len></len> <dataN></dataN> </data_reg> </set_elem_key> <set_elem_data> <data_reg type="xx"> [...] </data_reg> </set_elem_data> </set_elem> </set> Signed-off-by: Arturo Borrero González <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table: Add json parser supportÁlvaro Neira Ayuso2013-07-251-0/+1
| | | | | | | Add function for parsing tables in format JSON Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify parameter of nft_*_is_setEric Leblond2013-07-194-5/+5
| | | | | | | | The functions nft_*_attr_is_set() is doing no modification so it is possible to type it to const. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add support for position attributeEric Leblond2013-07-192-0/+2
| | | | | | | | This patch adds support for position attribute which can be used to insert a rule at a given position. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_add_tailPablo Neira Ayuso2013-07-164-0/+4
| | | | | | | This redefines the meaning of nft_*_list_add to prepend, before this patch it was appending, which was semantically wrong. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_is_empty() functionsArturo Borrero2013-07-154-0/+4
| | | | | | | | | This functions check if a given nft_*_list is empty or not. I found this quite useful while working with a full ruleset. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update include/linux/netfilter/nf_tables.hPablo Neira Ayuso2013-07-131-3/+211
| | | | | | Get it in sync with the current kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add xml outputArturo Borrero2013-07-061-0/+1
| | | | | | | This patch adds XML output for sets. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add json outputÁlvaro Neira Ayuso2013-07-061-0/+5
| | | | | | | This patch allows you to dump set and their content in json format. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate XML parsing of expressions via nft_mxml_expr_parsePablo Neira Ayuso2013-07-041-0/+2
| | | | | | | | | Move common code for XML parsing of expressions to the new nft_mxml_expr_parse function. This patch reduces the XML parsing code in 300 LOC. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Fix header inclusion for integer typesTomasz Bursztyka2013-07-031-0/+1
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support JSON format in chain, rule and expressionsÁlvaro Neira Ayuso2013-06-291-0/+1
| | | | | | | While at it, order possible switch cases of _snprintf. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nft_rule_expr_snprintfPablo Neira Ayuso2013-06-191-0/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add stdbool.h to libnftables/expr.hPablo Neira Ayuso2013-06-171-0/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify first parameter of all nft_*_getPablo Neira Ayuso2013-06-172-10/+10
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add NFT_SET_ATTR_FAMILYPablo Neira Ayuso2013-06-171-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_attr_is_setPablo Neira Ayuso2013-06-175-0/+13
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_list_foreachPablo Neira Ayuso2013-06-174-0/+10
| | | | | | This patch adds a simplied iterator interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add limitPablo Neira Ayuso2013-06-131-0/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add byteorderPablo Neira Ayuso2013-06-121-0/+8
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add ctPablo Neira Ayuso2013-06-121-0/+6
| | | | | | This patch adds the ct expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add exthdrPablo Neira Ayuso2013-06-111-0/+7
| | | | | | | This patch adds support for the exthdr expression of nftables that is implemented in linux/net/netfilter/nft_exthdr.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>