From 6d085b22a8b5165406b5727ccf21a91ac5b97136 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 20 Feb 2021 16:18:03 +0100 Subject: table: support for the table owner flag Add new flag to allow userspace process to own tables: Tables that have an owner can only be updated/destroyed by the owner. The table is destroyed either if the owner process calls nft_ctx_free() or owner process is terminated (implicit table release). The ruleset listing includes the program name that owns the table: nft> list ruleset table ip x { # progname nft flags owner chain y { type filter hook input priority filter; policy accept; counter packets 1 bytes 309 } } Original code to pretty print the netlink portID to program name has been extracted from the conntrack userspace utility. Signed-off-by: Pablo Neira Ayuso --- include/owner.h | 6 ++++++ include/rule.h | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 include/owner.h (limited to 'include') diff --git a/include/owner.h b/include/owner.h new file mode 100644 index 00000000..85d821cc --- /dev/null +++ b/include/owner.h @@ -0,0 +1,6 @@ +#ifndef _NFT_OWNER_H_ +#define _NFT_OWNER_H_ + +char *get_progname(uint32_t portid); + +#endif diff --git a/include/rule.h b/include/rule.h index 87b6828e..523435f6 100644 --- a/include/rule.h +++ b/include/rule.h @@ -131,8 +131,9 @@ struct symbol *symbol_get(const struct scope *scope, const char *identifier); enum table_flags { TABLE_F_DORMANT = (1 << 0), + TABLE_F_OWNER = (1 << 1), }; -#define TABLE_FLAGS_MAX 1 +#define TABLE_FLAGS_MAX 2 const char *table_flag_name(uint32_t flag); @@ -162,6 +163,7 @@ struct table { struct list_head chain_bindings; enum table_flags flags; unsigned int refcnt; + uint32_t owner; const char *comment; }; -- cgit v1.2.3