From 2e66fb09d6936d17ab8240188f511529fcae8c67 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 12 Sep 2014 11:52:18 +0200 Subject: src: add ruleset generation class The generation object currently only contains the uint32_t that indicates the generation ID. I could have just add the API to return the uint32_t ID instead, but I think this API is easier to extend without adding new APIs. We can probably include meaningful statistics in the generation message in the future without much hassle. This patch also extends examples/nft-events.c. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/gen.h | 51 +++++++++++++++++++++++++++++++++++++ include/linux/netfilter/nf_tables.h | 19 ++++++++++++-- 2 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 include/libnftnl/gen.h (limited to 'include') diff --git a/include/libnftnl/gen.h b/include/libnftnl/gen.h new file mode 100644 index 0000000..00753b0 --- /dev/null +++ b/include/libnftnl/gen.h @@ -0,0 +1,51 @@ +#ifndef _LIBNFTNL_GEN_H_ +#define _LIBNFTNL_GEN_H_ + +#include +#include +#include +#include + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +struct nft_gen; + +struct nft_gen *nft_gen_alloc(void); +void nft_gen_free(struct nft_gen *); + +enum { + NFT_GEN_ID = 0, + __NFT_GEN_MAX +}; +#define NFT_GEN_MAX (__NFT_GEN_MAX - 1) + +bool nft_gen_attr_is_set(const struct nft_gen *gen, uint16_t attr); +void nft_gen_attr_unset(struct nft_gen *gen, uint16_t attr); +void nft_gen_attr_set(struct nft_gen *gen, uint16_t attr, const void *data); +void nft_gen_attr_set_data(struct nft_gen *gen, uint16_t attr, + const void *data, uint32_t data_len); +const void *nft_gen_attr_get(struct nft_gen *gen, uint16_t attr); +const void *nft_gen_attr_get_data(struct nft_gen *gen, uint16_t attr, + uint32_t *data_len); + +void nft_gen_attr_set_u32(struct nft_gen *gen, uint16_t attr, uint32_t data); +uint32_t nft_gen_attr_get_u32(struct nft_gen *gen, uint16_t attr); + +struct nlmsghdr; +int nft_gen_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_gen *gen); + +int nft_gen_snprintf(char *buf, size_t size, struct nft_gen *gen, uint32_t type, uint32_t flags); +int nft_gen_fprintf(FILE *fp, struct nft_gen *gen, uint32_t type, uint32_t flags); + +#define nft_gen_nlmsg_build_hdr nft_nlmsg_build_hdr +int nft_gen_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_gen *gen); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* _LIBNFTNL_GEN_H_ */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 36c4ca2..b72ccfe 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -51,6 +51,8 @@ enum nft_verdicts { * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes) * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes) * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes) + * @NFT_MSG_NEWGEN: announce a new generation, only for events (enum nft_gen_attributes) + * @NFT_MSG_GETGEN: get the rule-set generation (enum nft_gen_attributes) */ enum nf_tables_msg_types { NFT_MSG_NEWTABLE, @@ -68,6 +70,8 @@ enum nf_tables_msg_types { NFT_MSG_NEWSETELEM, NFT_MSG_GETSETELEM, NFT_MSG_DELSETELEM, + NFT_MSG_NEWGEN, + NFT_MSG_GETGEN, NFT_MSG_MAX, }; @@ -785,7 +789,7 @@ enum nft_nat_types { * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) - * @NFTA_NAT_FLAGS: additional NAT configuration (NF_NAT_RANGE_*) (NLA_U32) + * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) */ enum nft_nat_attributes { NFTA_NAT_UNSPEC, @@ -803,7 +807,7 @@ enum nft_nat_attributes { /** * enum nft_masq_attributes - nf_tables masquerade expression attributes * - * @NFTA_MASQ_FLAGS: additional masquerade configuration (NF_NAT_RANGE_*) (NLA_U32) + * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) */ enum nft_masq_attributes { NFTA_MASQ_UNSPEC, @@ -812,5 +816,16 @@ enum nft_masq_attributes { }; #define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1) +/** + * enum nft_gen_attributes - nf_tables ruleset generation attributes + * + * @NFTA_GEN_ID: Ruleset generation ID (NLA_U32) + */ +enum nft_gen_attributes { + NFTA_GEN_UNSPEC, + NFTA_GEN_ID, + __NFTA_GEN_MAX +}; +#define NFTA_GEN_MAX (__NFTA_GEN_MAX - 1) #endif /* _LINUX_NF_TABLES_H */ -- cgit v1.2.3