summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* build: Bump version to v0.8.2v0.8.2Pablo Neira Ayuso2018-02-021-1/+1
| | | | | | | | | This release includes incremental fixes since last release plus meta secpath support. libnftnl 1.0.9 is still OK as dependency, actually it just prints meta secpath as unknown with --debug=netlink but I don't think that is worth a libnftnl library release. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: add assertion to prevent infinite loopPablo Neira Ayuso2018-02-021-1/+4
| | | | | | | | | | | | | | | | | | | | | | | The following configuration: table inet filter { chain input { ct original ip daddr {1.2.3.4} accept } } is triggering an infinite loop. This problem also exists with concatenations and ct ip {s,d}addr. Until we have a solution for this, let's just prevent infinite loops. Now we hit this: # nft list ruleset nft: netlink_delinearize.c:124: netlink_parse_concat_expr: Assertion `consumed > 0' failed. Abort Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: dup and fwd statementsFlorian Westphal2018-01-311-0/+80
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Add back named_interval_automerging_0Phil Sutter2018-01-251-0/+12
| | | | | | | Change the test to expect no automerging since it was disabled recently. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: fetch rule handle with '-a' option and then delete ruleHarsha Sharma2018-01-251-1/+2
| | | | | | | Fetch rule handle and then delete rule via that rule handle. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: build: Add enable man page option.Varsha Rao2018-01-252-1/+3
| | | | | | | Add test for man page compile option. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Remove macro AC_CHECK_FUNCSVarsha Rao2018-01-251-3/+0
| | | | | | | | | | Functions memmove, strchr, strerror and strdup are defined in string.h header file. Also, strtoull is defined in stdlib.h header file. These header files are checked by AC_CHECK_HEADERS macro. AC_CHECK_FUNCS macro is not required, so remove it. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* update gitignorePablo M. Bermudo Garay2018-01-251-0/+2
| | | | | | | | | Add new internal libraries generated since [1] to the .gitignore file. [1]: 0b3ccd27e12d ("build: Restore per object CFLAGS") Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add 'auto-merge' option to setsPablo Neira Ayuso2018-01-2210-7/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After discussions with Karel here: https://bugzilla.netfilter.org/show_bug.cgi?id=1184 And later on with Phil Sutter, we decided to disable the automatic merge feature in sets with intervals. This feature is problematic because it introduces an inconsistency between what we add and what we later on get. This is going to get worse with the upcoming timeout support for intervals. Therefore, we turned off this by default. However, Jeff Kletsky and folks like this feature, so let's restore this behaviour on demand with this new 'auto-merge' statement, that you can place on the set definition, eg. # nft list ruleset table ip x { ... set y { type ipv4_addr flags interval auto-merge } } # nft add element x z { 1.1.1.1-2.2.2.2, 1.1.1.2 } Regarding implementation details: Given this feature only makes sense from userspace, let's store this in the set user data area, so nft knows it has to do automatic merge of adjacent/overlapping elements as per user request. # nft add set x z { type ipv4_addr\; auto-merge\; } Error: auto-merge only works with interval sets add set x z { type ipv4_addr; auto-merge; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1216 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert ("src: Remove xt_stmt_() functions").Pablo Neira Ayuso2018-01-204-2/+106
| | | | | | | | | Revert commit bce55916b51ec1a4c23322781e3b0c698ecc9561, we need this code in place to properly make translation when iptables-compat loads rules. Reported-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc/nft.xml: mention nftables earlierArturo Borrero Gonzalez2018-01-191-3/+4
| | | | | | | | | | | | | | | | | Mention nftables earlier in the documentation, so users have more context on what we are talking about. This is Debian bug #887718, which contains: <<< Currently one must read down 100 lines before it is even mentioned. You might want to make the connection between "nft" and "nftables" as early as the NAME or DESCRIPTION. >>> Requested-by: Dan Jacobson <jidanni@jidanni.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: build: Add README.Varsha Rao2018-01-191-0/+12
| | | | | | | Add readme for compile options test script. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Allow to disable man page buildingPhil Sutter2018-01-191-12/+21
| | | | | | | | | | | | Aparently there are distributions which come with incompatible docbook implementations. On those, forced man page creating if required binaries are found leads to build failure. Allow them to conveniently disable man page output instead of having to pass undocumented variables to configure. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Fix help text regarding --enable-debugPhil Sutter2018-01-191-1/+1
| | | | | | | | | Debugging symbols are enabled by default, so list '--disable-debug' in help output rather than '--enable-debug'. This way it is also consistent with the parameter's description. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Eliminate forgotten traces of libnftables exportingPhil Sutter2018-01-193-19/+0
| | | | | | | | | This removes libnftables pkg-config file along with the few lines of code to adjust and install it. Fixes: d572d59788143 ("Make libnftables a local static library") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Remove AC_HEADER_STDBOOL, AC_C_ and AC_TYPE_ macrosVarsha Rao2018-01-191-16/+0
| | | | | | | | | | | | | | | | | The following macros check if particular C types in specific header file exists, these header files defines them and are already included in the source code. So, remove them. AC_HEADER_STDBOOL - stdbool.h AC_TYPE_INT and AC_TYPE_UINT - stdint.h or inttypes.h AC_TYPE_OFF_T and AC_TYPE_UID_T - sys/types.h AC_TYPE_SIZE_T - stddef.h, string.h, stdlib.h or stdio.h Remove AC_C_CONST and AC_C_INLINE as gcc supports inline and const keywords. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add tests for low level json importShyam Saini2018-01-171-0/+71
| | | | | | | | | | | | | | Test "nft import vm json". Basically it loads same set of rules by "nft -f" and "nft import vm json" and prints differences (if any) in the ruleset listed by "nft list ruleset" in each case. For Example: $ ./run-tests.sh testcases/import/vm_json_import_0 Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add import command for low level jsonShyam Saini2018-01-177-28/+373
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This new operation allows to import low level virtual machine ruleset in json to make incremental changes using the parse functions of libnftnl. A basic way to test this new functionality is: $ cat file.json | nft import vm json where the file.json is a ruleset exported in low level json format. To export json rules in low level virtual machine format we need to specify "vm" token before json. See below $ nft export vm json and $ nft export/import json will do no operations. Same goes with "$nft monitor" Highly based on work from Alvaro Neira <alvaroneay@gmail.com> and Arturo Borrero <arturo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Add test for compile options.Varsha Rao2018-01-161-0/+49
| | | | | | | This patch adds a script to test available compile options. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add secpath supportFlorian Westphal2018-01-165-0/+26
| | | | | | | | | This can be used to check if a packet has a secpath attached to it, i.e. was subject to ipsec processing. Example: add rule inet raw prerouting meta secpath exists accept Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v0.8.1v0.8.1Pablo Neira Ayuso2018-01-111-2/+2
| | | | | | | A release including incremental fixes since last release. Still it needs libnftnl 1.0.9 because of nftnl_expr_fprint(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Don't merge adjacent/overlapping rangesPhil Sutter2018-01-119-25/+45
| | | | | | | | | | | | | | | | | | | | | Previously, when adding multiple ranges to a set they were merged if overlapping or adjacent. This might cause inconvenience though since it is afterwards not easily possible anymore to remove one of the merged ranges again while keeping the others in place. Since it is not possible to have overlapping ranges, this patch adds a check for newly added ranges to make sure they don't overlap if merging is turned off. Note that it is not possible (yet?) to enable range merging using nft tool. Testsuite had to be adjusted as well: One test in tests/py changed avoid adding overlapping ranges and the test in tests/shell which explicitly tests for this feature dropped. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Restore per object CFLAGSPhil Sutter2018-01-101-10/+17
| | | | | | | | As per the automake manual, create internal libraries for parser and mini-gmp sources so per-object flags can be set. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cached copyPablo Neira Ayuso2018-01-082-7/+12
| | | | | | Refresh it to fetch what we have in 4.15-rc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: do not print limit keyword inside object definitionPablo M. Bermudo Garay2017-12-221-2/+2
| | | | | | | | | | | | | | | | table ip limits { limit foo { limit rate 5/second ^^^^^ } } This behaviour is inconsistent and breaks the restoration of saved rule-sets with "nft -f". Fixes: c0697eabe832 ("src: add stateful object support for limit") Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix protocol context update on big-endian systemsPhil Sutter2017-12-128-17/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is an obscure bug on big-endian systems when trying to list a rule containing the expression 'ct helper tftp' which triggers the assert() call in mpz_get_type(). Florian identified the cause: ct_expr_pctx_update() is called for the relational expression which calls mpz_get_uint32() to get RHS value (assuming it is a protocol number). On big-endian systems, the misinterpreted value exceeds UINT_MAX. Expressions' pctx_update() callback should only be called for protocol matches, so ct_meta_common_postprocess() lacked a check for 'left->flags & EXPR_F_PROTOCOL' like the one already present in payload_expr_pctx_update(). In order to fix this in a clean way, this patch introduces a wrapper relational_expr_pctx_update() to be used instead of directly calling LHS's pctx_update() callback which unifies the necessary checks (and adds one more assert): - assert(expr->ops->type == EXPR_RELATIONAL) -> This is new, just to ensure the wrapper is called properly. - assert(expr->op == OP_EQ) -> This was moved from {ct,meta,payload}_expr_pctx_update(). - left->ops->pctx_update != NULL -> This was taken from expr_evaluate_relational(), a necessary requirement for the introduced wrapper to function at all. - (left->flags & EXPR_F_PROTOCOL) != 0 -> The crucial missing check which led to the problem. Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_linearize: exthdr op must be u32Florian Westphal2017-12-111-2/+2
| | | | | | | | libnftnl casts this to u32. Broke exthdr expressions on bigendian. Reported-by: Li Shuang <shuali@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: trivial: Fix error messagePhil Sutter2017-12-091-1/+1
| | | | | | | | The error message for failed chain creation quotes the chain's name but lacked the closing tick. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Make libnftables a local static libraryPhil Sutter2017-12-042-1/+2
| | | | | | | | | This changes Makefiles so that libnftables is built into a static library which is not installed. This allows for incompatible changes while still providing a library to link to for testing purposes. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 aim for consistent synopses throughoutDuncan Roe2017-12-031-74/+73
| | | | | | | | | | | Single items in braces have the braces removed as per wiki Scripting: "It is simply overkill to define a set that only stores one single element". Items that were in braces or square brackets are made consistent, e.g. {family} expands to single wor Ip, inet &c., but (type) in set spec expands to "type type_name ;". Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: add test for empty string matchHarsha Sharma2017-11-282-0/+3
| | | | | | | | This patch add tests for empty string match which fails with error "Empty string is not allowed". Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: don't print newline if label bit cannot be mappedFlorian Westphal2017-11-271-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: print error for null stringHarsha Sharma2017-11-271-1/+4
| | | | | | | | | | | | Print error "Empty string is not allowed", eg. # nft add rule filter input meta iifname '""' add rule filter input meta iifname "" ^^ Error: Empty String is not allowed Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 Syslog level is introduced by "level" not "syslog-level"Duncan Roe2017-11-271-1/+1
| | | | | | | | | | The log synopsis line correctly documents that keyword "level" introduces "syslog-level", but the keyword table entry did not. Discovered on trying to use "syslog-level" in a script. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: no need for 'name' token for metersPablo Neira Ayuso2017-11-246-21/+24
| | | | | | | Rework grammar to skip the 'name' token after 'meter' for named meters. For consistency with sets and maps in terms of syntax. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: dismiss anonymous metersPablo Neira Ayuso2017-11-242-9/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The former 'flow table' syntax allows flow tables with no name: # nft add rule x y flow { ip saddr counter } However, when listing, it leaks the name that it is autoallocating. # nft list ruleset table ip x { chain y { flow table __mt0 { ip saddr counter} } } Which is odd since then restoring will use such a name. Remove anonymous flow table/meters, so everyone needs to specify a name. There is no way to fix this, given anonymous flag tells us that the set behind this meter is bound to a rule, hence, released once the rule is going - the term "anonymous" was not good choice as a flag in first place. Only possibility is to strcmp for __ft to identify this is a nameless meter, which is a hack. Moreover, having no name means you cannot flush the set behind this meter, which criples this feature for no reason. On top of it, the wiki only documents named meters, and we have a record of users complaining on this behaviour. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
* src: deprecate "flow table" syntax, replace it by "meter"Pablo Neira Ayuso2017-11-2415-104/+130
| | | | | | | | | | | | | | | | | | | | | | | | | According to bugzilla 1137: "flow tables" should not be syntactically unique. "Flow tables are always named, but they don't conform to the way sets, maps, and dictionaries work in terms of "add" and "delete" and all that. They are also "flow tables" instead of one word like "flows" or "throttle" or something. It seems weird to just have these break the syntactic expectations." Personally, I never liked the reference to "table" since we have very specific semantics in terms of what a "table" is netfilter for long time. This patch promotes "meter" as the new keyword. The former syntax is still accepted for a while, just to reduce chances of breaking things. At some point the former syntax will just be removed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* gmputil: turn mpz_printf into mpz_vfprintf to restore --with-mini-gmpPablo Neira Ayuso2017-11-222-9/+12
| | | | | | | | | | 2535ba7006f2 ("src: get rid of printf") uses gmp_vfprintf() which doesn't exists in mini-gmp.c, this breaks compilation with --mini-gmp. This patch implements poor man's gmp_vfprintf that takes one single argument which is what we need. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: fix one compilation error with --with-mini-gmpPablo Neira Ayuso2017-11-221-0/+4
| | | | | | | | | | | | | | | Restore some code that is needed, until we have a version of gmp_printf that takes variable arguments. In file included from ../include/utils.h:12:0, from ../include/nftables.h:6, from ../include/rule.h:5, from segtree.c:15: segtree.c: In function ‘ei_insert’: ../include/gmputil.h:12:20: error: too many arguments to function ‘mpz_printf’ #define gmp_printf mpz_printf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Prevent lockout in nft-f/0008split_tables_0Phil Sutter2017-11-221-2/+2
| | | | | | | | | | | Since packets traverse both tables, the accept rule in the first one is ineffective due to the second table's drop policy. To prevent lockouts when running the testsuite via SSH connection, set the second chain's policy to accept as well. Fixes: 337c7e0de3d9d ("tests: shell: make sure split table definition works via nft -f") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Ensure output_fp is never NULLPhil Sutter2017-11-223-12/+5
| | | | | | | | | | | | | | Initialize output_fp to 'stdout' upon context creation and check output stream validity in nft_ctx_set_output(). This allows to drop checks in nft_{gmp_,}print() and do_command_export(). While doing so for the latter, simplify it a bit by using nft_print() which takes care of flushing the output stream. If applications desire to drop all output, they are supposed to open /dev/null and assign that. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 document use of -f option to start nft scriptsDuncan Roe2017-11-201-0/+3
| | | | | | | | | The man page didn't document nft scripts at all before, so putting that with the -f option seemed as good a place as any. It does work to start scripts is also updated. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Add test for IPv4 Mapped IPv6 address.Varsha Rao2017-11-201-0/+25
| | | | | | | This patch adds test case for IPv4 Mapped IPv6 address. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Rename 0025named_limit_0 to 0026named_limit_0Varsha Rao2017-11-201-0/+0
| | | | | | | | This renames file 0025named_limit_0 to 0026named_limit_0, there is already a test whose prefix is 0025. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: tests: files: Remove test files.Varsha Rao2017-11-1613-243/+0
| | | | | | | | This patch removes all the test cases from tests/files. As they are already present in other test files. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Make 'nft export' respect output_fpPhil Sutter2017-11-161-2/+7
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Split code into frontend and libraryPhil Sutter2017-11-167-9/+45
| | | | | | | | | | | | | | | | | | | | | | | This finally creates the libnftables shared object. For some reason, this causes two compiler warnings to appear: | parser_bison.y: In function 'nft_parse': | parser_bison.y:131:3: warning: implicit declaration of function 'nft_set_debug' [-Wimplicit-function-declaration] | nft_set_debug(1, scanner); | ^~~~~~~~~~~~~ | parser_bison.c:64:25: warning: implicit declaration of function 'nft_lex' [-Wimplicit-function-declaration] | #define yylex nft_lex | ^ | parser_bison.c:4745:16: note: in expansion of macro 'yylex' | yychar = yylex (&yylval, &yylloc, scanner); So this patch contains a workaround, namely declaring both functions in src/parser_bison.y. During linking the objects are found, so this is rather a matter of cosmetics. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Unexport enum nftables_exit_codesPhil Sutter2017-11-164-26/+23
| | | | | | | | | | | | | | | | Apart from SUCCESS/FAILURE, these codes were not used by library functions simply because NOMEM and NONL conditions lead to calling exit() instead of propagating the error condition back up the call stack. Instead, make nft_run_cmd_from_*() return either 0 or -1 on error. Usually errno will then contain more details about what happened and/or there are messages in erec. Calls to exit()/return in main() are adjusted to stay compatible. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Eliminate struct mnl_ctxPhil Sutter2017-11-165-221/+150
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The issue leading to this patch was that debug output in nft_mnl_talk() bypasses the application-defined output_fp. While investigating, another problem was discovered: Most of the ad-hoc defined mnl_ctx objects have their field 'debug_mask' set to zero regardless of what netlink_ctx contains (this affects non-batch code path only). The intuitive solution to both of those issues required to extend function parameters of all the non-batch functions as well as the common nft_mnl_talk() one. Instead of complicating them even further, this patch instead makes them accept a pointer to netlink_ctx as first parameter to gather both the old (nf_sock, seqnum) and the new values (debug_mask, octx) from. Since after the above change struct mnl_ctx was not really used anymore, so the remaining places were adjusted as well to allow for removing the struct altogether. Note that cache routines needed special treatment: Although parameters of cache_update() make it a candidate for the same change, it can't be converted since it is called in evaluation phase sometimes in which there is no netlink context available (but just eval context instead). Since netlink_genid_get() needs a netlink context though, the ad-hoc netlink_ctx definition from cache_init() is moved into cache_update() to have it available there already. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Flush iface cache after command executionPhil Sutter2017-11-131-0/+2
| | | | | | | | | | | | | | Commit 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes") was a bit too optimistic in that it missed the remaining need to flush interface cache after each command in interactive mode - otherwise, newly added interfaces won't be recognized. Although cli.c only calls nft_run_cmd_from_buffer(), flush caches in nft_run_cmd_from_filename() as well for matters of consistency. Fixes: 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>