path: root/
diff options
authorPablo Neira Ayuso <>2012-09-27 19:12:53 +0200
committerPablo Neira Ayuso <>2013-12-30 23:50:09 +0100
commit384958620abab397062b67fb2763e813b63f74f0 (patch)
treeec01cb88585150a37f122bfbf39ea33218bafdb6 /
parent99b85b7837707bd6c6d578c9328e1321fceb8082 (diff)
use nf_tables and nf_tables compatibility interface
This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to '')
1 files changed, 44 insertions, 0 deletions
diff --git a/ b/
index e83304c5..eb2c367b 100644
--- a/
+++ b/
@@ -60,6 +60,9 @@ AC_ARG_ENABLE([nfsynproxy],
AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH],
[Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]),
[pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig'])
+ AS_HELP_STRING([--disable-xtables], [Do not build xtables]),
+ [enable_nftables="$enableval"], [enable_nftables="yes"])
@@ -106,6 +109,7 @@ AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"])
AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
+AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
@@ -115,6 +119,45 @@ PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
[nfnetlink=1], [nfnetlink=0])
AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
+PKG_CHECK_MODULES([libmnl], [libmnl >= 1.0],
+ [mnl=1], [mnl=0])
+AM_CONDITIONAL([HAVE_LIBMNL], [test "$mnl" = 1])
+PKG_CHECK_MODULES([libnfables], [libnftables >= 1.0],
+ [nftables=1], [nftables=0])
+AM_CONDITIONAL([HAVE_LIBNFTABLES], [test "$nftables" = 1])
+if test -z "$ac_cv_prog_YACC"
+ echo "*** Error: No suitable bison/yacc found. ***"
+ echo " Please install the 'bison' package."
+ exit 1
+if test -z "$ac_cv_prog_LEX"
+ echo "*** Error: No suitable flex/lex found. ***"
+ echo " Please install the 'flex' package."
+ exit 1
+AC_MSG_CHECKING(flex version)
+flex_version=`$ac_cv_prog_LEX --version | sed 's/version//g' | awk '/flex/ {print $2}'`
+flex_major=`echo $flex_version| cut -d . -f 1`
+flex_minor=`echo $flex_version| cut -d . -f 2`
+flex_rev=`echo $flex_version| cut -d . -f 3`
+if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33"; then
+ AC_MSG_RESULT([$flex_version. OK])
+ AC_MSG_WARN([flex version $flex_version found.
+ Version 2.5.33 or greater is required. You may experience problems
+ while compilating the conntrack-tools. Please, consider to upgrade
+ flex.])
regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe";
@@ -182,6 +225,7 @@ Iptables Configuration:
Large file support: ${enable_largefile}
BPF utils support: ${enable_bpfc}
nfsynproxy util support: ${enable_nfsynproxy}
+ nftables support: ${enable_nftables}
Build parameters:
Put plugins into executable (static): ${enable_static}