diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-13 16:38:33 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-24 11:50:00 +0200 |
commit | aae836a7aa628af4d4d5dd97d0eefa898e8f5245 (patch) | |
tree | 0a5999838de7e19bba5c2bfb7172fec8d70c2da5 /include/mnl.h | |
parent | f171d1cf8a6530fe0ac204d4a6520fe0e2a70da4 (diff) |
src: use libnftables
This patch migrates nft to use the libnftables library, that is used
by the iptables over nftables compat utility as well. Most of the
conversion was pretty straight forward. Some small significant changes
happened in the handling of set element and immediate data abstraction
that libnl provides. libnftables is a bit more granular since it splits
the struct nfnl_nft_data into three attributes: verdict, chain and plain
data (used in maps).
I have added a new file src/mnl.c that contains the low level netlink
communication that now resides in nftables source tree instead of
the library. This should help to implement the batching support using
libmnl in follow up patches.
I also spent some significant amount of time running my tests to make
sure that we don't increase the number of bugs that we already have
(I plan to provide a list of those that I have detected and diagnosed,
so anyone else can help us to fix them).
As a side effect, this change should also prepare the ground for
JSON and XML support anytime soon.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/mnl.h')
-rw-r--r-- | include/mnl.h | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/include/mnl.h b/include/mnl.h new file mode 100644 index 00000000..bd244898 --- /dev/null +++ b/include/mnl.h @@ -0,0 +1,43 @@ +#ifndef _NFTABLES_MNL_H_ +#define _NFTABLES_MNL_H_ + +int mnl_nft_rule_add(struct mnl_socket *nf_sock, struct nft_rule *r, + unsigned int flags); +int mnl_nft_rule_delete(struct mnl_socket *nf_sock, struct nft_rule *r, + unsigned int flags); +struct nft_rule_list *mnl_nft_rule_dump(struct mnl_socket *nf_sock, + int family); + +int mnl_nft_chain_add(struct mnl_socket *nf_sock, struct nft_chain *nlc, + unsigned int flags); +int mnl_nft_chain_delete(struct mnl_socket *nf_sock, struct nft_chain *nlc, + unsigned int flags); +struct nft_chain_list *mnl_nft_chain_dump(struct mnl_socket *nf_sock, + int family); +int mnl_nft_chain_get(struct mnl_socket *nf_sock, struct nft_chain *nlc, + unsigned int flags); + +int mnl_nft_table_add(struct mnl_socket *nf_sock, struct nft_table *nlt, + unsigned int flags); +int mnl_nft_table_delete(struct mnl_socket *nf_sock, struct nft_table *nlt, + unsigned int flags); +struct nft_table_list *mnl_nft_table_dump(struct mnl_socket *nf_sock, + int family); +int mnl_nft_table_get(struct mnl_socket *nf_sock, struct nft_table *nlt, + unsigned int flags); + +int mnl_nft_set_add(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags); +int mnl_nft_set_delete(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags); +struct nft_set_list *mnl_nft_set_dump(struct mnl_socket *nf_sock, int family, + const char *table); +int mnl_nft_set_get(struct mnl_socket *nf_sock, struct nft_set *nls); + +int mnl_nft_setelem_add(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags); +int mnl_nft_setelem_delete(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags); +int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nft_set *nls); + +#endif /* _NFTABLES_MNL_H_ */ |