summaryrefslogtreecommitdiffstats
path: root/include/linux/netfilter/nf_tables.h
Commit message (Collapse)AuthorAgeFilesLines
* refresh nf_tables.h cached copyPablo Neira Ayuso2014-10-091-1/+76
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Update nftables API header in sync with kernel's oneTomasz Bursztyka2013-12-301-7/+296
| | | | | | | Many changes were missing. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: batch rule-set updates into one single netlink messagePablo Neira Ayuso2013-12-301-7/+0
| | | | | | | | With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: nft: add protocol and flags for xtables over nf_tablesPablo Neira Ayuso2013-12-301-0/+14
| | | | | | Add protocol and flags for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-restore: support atomic commitPablo Neira Ayuso2013-12-301-0/+8
| | | | | | | | | | | | | Use new services in nf_tables to support atomic commit. Commit per table, although we support global commit at once, call commit for each table to emulate iptables-restore behaviour by now. Keep table dormant/wake up code in iptables/nft.c as it can be used in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: adapt chain rename to recent Patrick's updatesPablo Neira Ayuso2013-12-301-1/+2
| | | | | | | This patch gets existing code in sync with Patrick's chain renaming new approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-restore: add support for dormant tablesPablo Neira Ayuso2013-12-301-0/+10
| | | | | | This patch adds support for dormant tables for xtables-restore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* headers: remove unused compatibility definitionsPablo Neira Ayuso2013-12-301-18/+0
| | | | | | They belong to nf_tables_compat.h Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Add support for chain rename options (-E)Tomasz Bursztyka2013-12-301-0/+1
| | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
* headers: Make nf_tables.h up to dateTomasz Bursztyka2013-12-301-0/+2
| | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
* use nf_tables and nf_tables compatibility interfacePablo Neira Ayuso2013-12-301-0/+418
This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>