| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the past, CLI as a potentially long running process had to make sure
it kept it's cache up to date with kernel's rule set. A simple test case
is this:
| shell a | shell b
| | # nft -i
| # nft add table ip t |
| | nft> list ruleset
| | table ip t {
| | }
| # nft flush ruleset |
| | nft> list ruleset
| | nft>
In order to make sure interactive CLI wouldn't incorrectly list the
table again in the second 'list' command, it immediately flushed it's
cache after every command execution.
This patch eliminates the need for that by making cache updates depend
on kernel's generation ID: A cache update stores the current rule set's
ID in struct nft_cache, consecutive calls to cache_update() compare that
stored value to the current generation ID received from kernel - if the
stored value is zero (i.e. no previous cache update did happen) or if it
doesn't match the kernel's value (i.e. cache is outdated) the cache is
flushed and fully initialized again.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Prepend nft_ prefix before these are exposed, reduce chances we hit
symbol namespace pollution problems when mixing libnftables with other
existing libraries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces getter/setter pairs for all parts in struct nft_ctx (and
contained structs) which should be configurable.
Most of them are simple ones, just allowing to get/set a given field:
* nft_ctx_{get,set}_dry_run() -> ctx->check
* nft_ctx_output_{get,set}_numeric() -> ctx->output.numeric
* nft_ctx_output_{get,set}_stateless() -> ctx->output.stateless
* nft_ctx_output_{get,set}_ip2name() -> ctx->output.ip2name
* nft_ctx_output_{get,set}_debug() -> ctx->debug_mask
* nft_ctx_output_{get,set}_handle() -> ctx->output.handle
* nft_ctx_output_{get,set}_echo() -> ctx->output.echo
A more complicated case is include paths handling: In order to keep the
API simple, remove INCLUDE_PATHS_MAX restraint and dynamically allocate
nft_ctx field include_paths instead. So there is:
* nft_ctx_add_include_path() -> add an include path to the list
* nft_ctx_clear_include_paths() -> flush the list of include paths
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make CLI code adhere to intended libnftables API by not open coding what
nft_run_cmd_from_buffer() does. This way, nft_run() has no users outside
of src/libnftables.c anymore and therefore can become static.
Since nft_run_cmd_from_buffer() takes care of scanner initialization and
libmnl socket passed to cli_init() is present as nft_ctx field as well,
signature of cli_init() can be reduced to just take nft_ctx pointer as
single argument.
Note that this change introduces two (possibly unwanted) side-effects:
* Input descriptor passed to scanner_push_buffer() is changed from the
CLI-specific one to the one used by nft_run_cmd_from_buffer().
In practice though, this doesn't make a difference: input descriptor
types INDESC_CLI and INDESC_BUFFER are treated equally by erec_print().
Also, scanner_push_buffer() NULLs input descriptor name, so that is not
used at all in latter code.
* Error messages are printed to stderr instead of cli_nft->output.
This could be fixed by introducing an 'error_output' field in nft_ctx
for nft_run_cmd_from_buffer() to use when printing error messages.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows an application to explicitly flush caches associated with a
given nft context, as seen in cli_complete().
Note that this is a bit inconsistent in that it releases the global
interface cache, but nft_ctx_free() does the same so at least it's not a
regression.
Note that there is no need for explicit cache update routine since cache
is populated during command execution depending on whether it is needed
or not.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This creates src/libnftables.c and include/nftables/nftables.h which
will become the central elements of libnftables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|