summaryrefslogtreecommitdiffstats
path: root/src/netlink.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2015-03-12 15:15:14 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2015-03-17 17:26:03 +0100
commitac3a68fb768b7f0e20493038139faa4704dc1846 (patch)
tree1a9010abd009fd6631579b2278a7d2abffa58142 /src/netlink.c
parenta8018eaf35636ac7fc26387f84b4b978db14546f (diff)
src: expose table flags
The nf_tables kernel API provides a way to disable a table using the dormant flag. This patch adds the missing code to expose this feature through nft. Basically, if you want to disable a table and all its chains from seen any traffic, you have to type: nft add table filter { flags dormant\; } to re-enable the table, you have to: nft add table filter this clears the flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r--src/netlink.c21
1 files changed, 17 insertions, 4 deletions
diff --git a/src/netlink.c b/src/netlink.c
index 84d9d272..8c37ec5d 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -800,6 +800,11 @@ static int netlink_add_table_batch(struct netlink_ctx *ctx,
int err;
nlt = alloc_nft_table(h);
+ if (table != NULL)
+ nft_table_attr_set_u32(nlt, NFT_TABLE_ATTR_FLAGS, table->flags);
+ else
+ nft_table_attr_set_u32(nlt, NFT_TABLE_ATTR_FLAGS, 0);
+
err = mnl_nft_table_batch_add(nlt, excl ? NLM_F_EXCL : 0,
ctx->seqnum);
nft_table_free(nlt);
@@ -887,6 +892,8 @@ static struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FAMILY);
table->handle.table =
xstrdup(nft_table_attr_get_str(nlt, NFT_TABLE_ATTR_NAME));
+ table->flags =
+ nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FLAGS);
return table;
}
@@ -923,22 +930,28 @@ int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h,
}
int netlink_get_table(struct netlink_ctx *ctx, const struct handle *h,
- const struct location *loc)
+ const struct location *loc, struct table *table)
{
struct nft_table *nlt;
+ struct table *ntable;
int err;
nlt = alloc_nft_table(h);
err = mnl_nft_table_get(nf_sock, nlt, 0);
nft_table_free(nlt);
- if (err < 0)
+ if (err < 0) {
netlink_io_error(ctx, loc,
"Could not receive table from kernel: %s",
strerror(errno));
- return err;
-}
+ return err;
+ }
+ ntable = netlink_delinearize_table(ctx, nlt);
+ table->flags = ntable->flags;
+ xfree(ntable);
+ return 0;
+}
int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h,
const struct location *loc)