diff options
author | Giuseppe Longo <giuseppelng@gmail.com> | 2013-09-09 12:54:04 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:46 +0100 |
commit | 84909d171585d77fe769f03e2b1b96eab0aa0213 (patch) | |
tree | 1627c75d71025b18b6d7a94ee504617146b02419 /iptables/nft.h | |
parent | 67da6075a4e7ced0e8cc452d73ce8ab06cbf8cd9 (diff) |
xtables: bootstrap ARP compatibility layer for nftables
This patch bootstraps ARP support for the compatibility layer:
1) copy original arptables code into xtables-arp.c
2) adapt it to fit into the existing nft infrastructure.
3) add the builtin table/chains for ARP.
4) add necessary parts so xtables-multi can provide xtables-arp.
5) add basic support for rule addition (-A), insertion (-I) and
listing (-L).
[ This was originally posted in a series of patches with interdependencies
that I have collapsed to leave the repository in consistent state. This
patch includes the following changes I made:
* Rename from xtables-arptables to xtables-arp, previous name too long.
* Remove nft-arptables.c, now we have one single nft-arp.c file. Moved
specific ARP functions to nft.c. Those should go away at some point as
some refactorization should allow to accomodate those functions to the
existing infrastructure.
* Fix --opcode Request/Reply, so we can do something useful with this
like dropping ARP request/replies.
--pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.h')
-rw-r--r-- | iptables/nft.h | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/iptables/nft.h b/iptables/nft.h index fe1b9c81..25275cee 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -34,7 +34,11 @@ struct nft_handle { }; extern struct builtin_table xtables_ipv4[TABLES_MAX]; +extern struct builtin_table xtables_arp[TABLES_MAX]; +int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, + int (*cb)(const struct nlmsghdr *nlh, void *data), + void *data); int nft_init(struct nft_handle *h, struct builtin_table *t); void nft_fini(struct nft_handle *h); @@ -44,6 +48,8 @@ void nft_fini(struct nft_handle *h); struct nft_table; struct nft_chain_list; +int nft_table_builtin_add(struct nft_handle *h, struct builtin_table *_t, bool dormant); +struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table); int nft_table_add(struct nft_handle *h, const struct nft_table *t); int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); bool nft_table_find(struct nft_handle *h, const char *tablename); @@ -56,6 +62,10 @@ int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nft_c */ struct nft_chain; +struct nft_chain *nft_chain_builtin_alloc(struct builtin_table *table, struct builtin_chain *chain, int policy); +void nft_chain_builtin_add(struct nft_handle *h, struct builtin_table *table, struct builtin_chain *chain, int policy); +struct builtin_chain *nft_chain_builtin_find(struct builtin_table *t, const char *chain); +int nft_chain_builtin_init(struct nft_handle *h, const char *table, const char *chain, int policy); int nft_chain_add(struct nft_handle *h, const struct nft_chain *c); int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); struct nft_chain_list *nft_chain_dump(struct nft_handle *h); @@ -82,6 +92,16 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl int nft_rule_save(struct nft_handle *h, const char *table, bool counters); int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table); int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum); +struct nft_rule_list *nft_rule_list_create(struct nft_handle *h); +void nft_rule_list_destroy(struct nft_rule_list *list); + +/* + * Operations used in userspace tools + */ +int add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes); +int add_verdict(struct nft_rule *r, int verdict); +int add_target(struct nft_rule *r, struct xt_entry_target *t); +int add_jumpto(struct nft_rule *r, const char *name, int verdict); enum nft_rule_print { NFT_RULE_APPEND, @@ -110,6 +130,8 @@ const char *nft_strerror(int err); /* For xtables.c */ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table); +/* For xtables-arptables.c */ +int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table); /* * Parse config for tables and chain helper functions @@ -127,4 +149,17 @@ enum { int nft_xtables_config_load(struct nft_handle *h, const char *filename, uint32_t flags); +/* + * ARP + */ + +struct arpt_entry; + +int nft_arp_rule_append(struct nft_handle *h, const char *chain, + const char *table, struct arpt_entry *fw, + bool verbose); +int nft_arp_rule_insert(struct nft_handle *h, const char *chain, + const char *table, struct arpt_entry *fw, + int rulenum, bool verbose); + #endif |