path: root/include/netlink.h
Commit message (Collapse)AuthorAgeFilesLines
* src: add set netlink message to the batchPablo Neira Ayuso2014-05-191-0/+3
| | | | | | | | | | | | | This patch moves the netlink set messages to the batch that contains the rules. This helps to speed up rule-set restoration time by changing the operational. To achieve this, an internal set ID which is unique to the batch is allocated as suggested by Patrick. To retain backward compatibility, nft initially guesses if the kernel supports set in batches. Otherwise, it falls back to the previous (slowier) operational. Signed-off-by: Pablo Neira Ayuso <>
* src: add events reportingArturo Borrero2014-04-251-0/+10
| | | | | | | | | | This patch adds a basic events reporting option to nft. The syntax is: % nft monitor [new|destroy] [tables|chains|rules|sets|elements] [xml|json] Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
* netlink: add socket error reporting helper functionArturo Borrero2014-04-251-0/+1
| | | | | | | | | | | | This patch adds a simple helper function to report errors while opening the Netlink socket. To help users to diagnose problems, a new NFT_EXIT_NONL exit code is included, which is 3. Suggested-by: Pablo Neira Ayuso <> Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Pablo Neira Ayuso <>
* netlink: add netlink specific locationPatrick McHardy2014-02-051-0/+3
| | | | | | | | | | Add a netlink_location and use it for error messages instead of internal_location. internal:0:0-0: Error: Could not add set: Operation not permitted => netlink: Error: Could not add set: Operation not permitted Signed-off-by: Patrick McHardy <>
* ruleset: add XML/JSON exportArturo Borrero Gonzalez2014-01-231-0/+3
| | | | | | | | | | | | | | | | | | | | This patch adds the following operation: :~# nft export <xml|json> The XML/JSON output is provided raw by libnftnl, thus without format. In case of XML, you can give format with the `xmllint' tool from libxml2-tools: :~# nft list ruleset xml | xmllint --format - In case of JSON, you can use `json_pp' from perl standar package: :~# nft list ruleset json | json_pp A format field is added in struct cmd, and it will be reused in the import operation. Signed-off-by: Arturo Borrero Gonzalez <> Signed-off-by: Patrick McHardy <>
* cmd: add create command for tables and chainsPatrick McHardy2014-01-211-2/+2
| | | | | | | | | We currently always use NLM_F_EXCL for add, which makes adding existing chains or tables fail. There's usually no reason why you would care about this, so change "add" to not use NLM_F_EXCL and add a new "create" command in case you do care. Signed-off-by: Patrick McHardy <>
* use new libnftnl library namePablo Neira Ayuso2014-01-201-5/+5
| | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Pablo Neira Ayuso <>
* src: add rule batching supportPablo Neira Ayuso2013-09-231-0/+14
| | | | | | | | | | | | | | | | | | | | | | | This patch allows nft to put all rule update messages into one single batch that is sent to the kernel if `-f' option is used. In order to provide fine grain error reporting, I decided to to correlate the netlink message sequence number with the correspoding command sequence number, which is the same. Thus, nft can identify what rules trigger problems inside a batch and report them accordingly. Moreover, to avoid playing buffer size games at batch building stage, ie. guess what is the final size of the batch for this ruleset update will be, this patch collects batch pages that are converted to iovec to ensure linearization when the batch is sent to the kernel. This reduces the amount of unnecessary memory usage that is allocated for the batch. This patch uses the libmnl nlmsg batching infrastructure and it requires the kernel patch entitled (netfilter: nfnetlink: add batch support and use it from nf_tables). Signed-off-by: Pablo Neira Ayuso <>
* netlink: use uint32_t instead of size_t for attribute lengthPablo Neira Ayuso2013-09-191-2/+2
| | | | | | | According to libnftables change 437d610, now the length obtained via getter function is uint32_t, not size_t anymore. Signed-off-by: Pablo Neira Ayuso <>
* src: use libnftablesPablo Neira Ayuso2013-06-241-24/+43
| | | | | | | | | | | | | | | | | | | | | | | | | This patch migrates nft to use the libnftables library, that is used by the iptables over nftables compat utility as well. Most of the conversion was pretty straight forward. Some small significant changes happened in the handling of set element and immediate data abstraction that libnl provides. libnftables is a bit more granular since it splits the struct nfnl_nft_data into three attributes: verdict, chain and plain data (used in maps). I have added a new file src/mnl.c that contains the low level netlink communication that now resides in nftables source tree instead of the library. This should help to implement the batching support using libmnl in follow up patches. I also spent some significant amount of time running my tests to make sure that we don't increase the number of bugs that we already have (I plan to provide a list of those that I have detected and diagnosed, so anyone else can help us to fix them). As a side effect, this change should also prepare the ground for JSON and XML support anytime soon. Signed-off-by: Pablo Neira Ayuso <>
* cmd/netlink: make sure we always have a location in netlink operationsPatrick McHardy2013-04-181-17/+34
| | | | | | Improve error reporting by always using a location in netlink operations. Signed-off-by: Patrick McHardy<>
* rule: add rule insertion (prepend) supportPatrick McHardy2012-12-141-1/+1
| | | | Signed-off-by: Patrick McHardy <>
* chains: add chain rename supportPatrick McHardy2012-12-141-0/+2
| | | | Signed-off-by: Patrick McHardy <>
* add support for new set API and standalone setsPatrick McHardy2009-07-281-0/+16
| | | | Signed-off-by: Patrick McHardy <>
* netlink: move data related functions to netlink.cPatrick McHardy2009-03-311-0/+11
| | | | | | | Move the data related function to netlink.c as they're going to be needed outside of rule context for set maintenance. Signed-off-by: Patrick McHardy <>
* Fix use of reserved names in header sandwichPatrick McHardy2009-03-181-3/+3
| | | | Signed-off-by: Patrick McHardy <>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+60