summaryrefslogtreecommitdiffstats
path: root/iptables/nft.c
Commit message (Collapse)AuthorAgeFilesLines
* ebtables-compat: fix print_headerGiuseppe Longo2014-11-241-0/+3
| | | | | | | This prints the header like ebtables. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: bootstrap ebtables-compatPablo Neira Ayuso2014-11-241-1/+52
| | | | | | | | | | | | | | | | | | | This patch bootstraps ebtables-compat, the ebtables compatibility software upon nf_tables. [ Original patches: http://patchwork.ozlabs.org/patch/395544/ http://patchwork.ozlabs.org/patch/395545/ http://patchwork.ozlabs.org/patch/395546/ I have also forward port them on top of the current git HEAD, otherwise compilation breaks. This bootstrap is experimental, this still needs more work. --Pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-compat: create a separated object update type to rename chainsArturo Borrero2014-11-241-1/+11
| | | | | | | | This patch adds an explicit object update type to rename chains, so we avoid calling the nf_tables API with NLM_F_EXCL. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: kill add_*() invflags parameterArturo Borrero2014-11-121-0/+8
| | | | | | | | | | | Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ. The caller must calculate which kind of cmp operation requires. BTW, this patch solves absence of inversion in some arptables-compat builtin matches. Thus, translating arptables inv flags is no longer needed. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: homogenize error messages with 'R' optionAna Rey2014-11-091-1/+1
| | | | | | | | | | | | | | | | There is a difference between error messages in iptables and iptables-compat: # iptables -R INPUT 23 -s 192.168.2.140 -j ACCEPT iptables: Index of replacement too big. # iptables-compat -R INPUT 23 -s 192.168.2.140 -j ACCEPT iptables: No chain/target/match by that name. Now, iptables-compat shows the same error message than iptables in this case. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: homogenize error messagesAna Rey2014-10-301-0/+4
| | | | | | | | | | | | | | | | | | | | | | | There are some differences between error messages in iptables and iptables-compat: # iptables -C INPUT -s 192.168.2.102 -j ACCEPT iptables: Bad rule (does a matching rule exist in that chain?). # iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT iptables: No chain/target/match by that name. # iptables -N new_chain # iptables -N new_chain iptables: Chain already exists. # iptables-compat -N new_chain # iptables-compat -N new_chain iptables: File exists. Now, iptables-compat shows the same error messages than iptables in those cases. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: fix empty chains after first invocation of iptables-compat -LPablo Neira Ayuso2014-10-241-1/+7
| | | | | | | | | | | | | | | | | | # iptables-compat -L # iptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Note that the second (and follow up) invocations after the first one display the chains. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: assume chain policy NF_ACCEPT when creating built-in chainsPablo Neira Ayuso2014-10-241-22/+13
| | | | | | | | Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove extra unused chain parameter and rename nft_chain_builtin_init to nft_xt_builtin_init too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: statify unused built-in table/chain functionsPablo Neira Ayuso2014-10-241-8/+8
| | | | | | | The functions that allows you to create built-in table and chains are required out of the scope of nft.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: fix chain policy reset with iptables -L -nPablo Neira Ayuso2014-10-241-3/+11
| | | | | | | | | | | | Initialize built-in tables/chains if they don't exists, otherwise simply skip. This avoids the chain policy reset to NF_ACCEPT by when you call iptables -L -n. Reported-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Ana Rey <anarey@gmail.com>
* arptables-compat: get output in sync with arptables -L -n --line-numbersPablo Neira Ayuso2014-10-091-46/+2
| | | | | | | | | | # arptables-compat -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination <-- This header is not shown by arptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: nft: fix error reportingPablo Neira Ayuso2014-10-091-16/+6
| | | | | | | | | | | | | This fixes # iptables-compat -X test4345 iptables: No chain/target/match by that name. # iptables-compat -N test4345 # iptables-compat -N test4345 iptables: File exists. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: nft: fix user chain addition, deletion and renamePablo Neira Ayuso2014-10-091-27/+60
| | | | | | | Add the glue code to use the chain batching for user chain commands. Reported-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: get rid of error reporting via perrorPablo Neira Ayuso2014-09-301-58/+22
| | | | | | The compat layer should report problems in the iptables way instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: fix use after free in the batch send pathPablo Neira Ayuso2014-09-301-8/+19
| | | | | | Release the batch pages once they have been sent via sendmsg(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnlPablo Neira Ayuso2014-09-301-21/+5
| | | | | | Use the existing functions in libnftnl to begin and end a batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: save: fix the printing of the countersGiuseppe Longo2014-06-111-4/+7
| | | | | | | | This patch prints the counters of a rule before the details, like iptables-save syntax. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: add tables and chains to the batchPablo Neira Ayuso2014-06-101-121/+246
| | | | | | | | | | | | | | | | Since kernel changes: 55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure to handle table"). 91c7b38 ("netfilter: nf_tables: use new transaction infrastructure to handle chain"). it is possible to put tables and chains in the same batch (which was already including rules). This patch probes the kernel to check if if the new transaction is available, otherwise it falls back to the previous non-transactional approach to handle these two objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: remove unused codePablo Neira Ayuso2014-06-101-52/+4
| | | | | | | Remove code to set table in dormant state, this is not required from the iptables over nft compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: generalize batch infrastructurePablo Neira Ayuso2014-06-091-41/+41
| | | | | | Prepare inclusion of tables and chain objects in the batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: replace nft_rule_attr_get_u8Giuseppe Longo2014-03-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Since the family declaration has been modified in libnftnl, from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16 the assertion is failed for {ip,ip6,arp}tables-compat when printing rules. iptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 ip6tables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 arptables-compat -L Chain INPUT (policy ACCEPT) target prot opt source destination libnftnl: attribute 0 assertion failed in rule.c:273 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Pass a line after printing out a debug messageTomasz Bursztyka2014-02-121-3/+3
| | | | | | | | In this specific places, libnftnl gives back a string on which iptables should not assume any line break, thus it's up to iptables to add it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Remove useless error messageTomasz Bursztyka2014-02-121-40/+5
| | | | | | | These are not helpful. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Initialize a table only onceTomasz Bursztyka2014-02-121-0/+10
| | | | | | | | This helps to remove some runtime overhead, especially when running xtables-restore. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: A builtin chain might be created when restoringTomasz Bursztyka2014-02-121-0/+1
| | | | | | | | | nft_chain_set() is directly used in xtables-restore.c, however at that point no builtin chains have been created yet thus the need to request to build it relevantly. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Add useful debug output when a builtin table is createdTomasz Bursztyka2014-02-121-0/+8
| | | | | | | This is useful to know if a builtin table is requested to be created. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft-compat: fix IP6T_F_GOTO flag handlingPablo Neira Ayuso2014-02-111-2/+2
| | | | | | | IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: adds save_matches_and_targetGiuseppe Longo2014-02-111-30/+3
| | | | | | | | | | | This patch permits to save matches and target for ip/ip6/arp/eb family, required for xtables-events. Also, generalizes nft_rule_print_save to be reused for all protocol families. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Use new libnftnl library name against former libnftablesTomasz Bursztyka2014-01-201-4/+4
| | | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong function to release iteratorPablo Neira Ayuso2013-12-301-1/+1
| | | | | | | | | | | | | nft.c: In function ‘nft_xtables_config_load’: nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default] In file included from nft.c:41:0: /usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’ Introduced in (12eb85b nft: fix memory leaks in nft_xtables_config_load) but that was my fault indeed since Ana sent a v2 patch that I have overlook. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: fix memory leaks in nft_finiAna Rey2013-12-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Those errors are shown with valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) ==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) These objects are allocated from nft_init but they were not released appropriately in the exit path. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix memory leaks in nft_xtables_config_loadAna Rey2013-12-301-10/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Those errors are shown with the valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5955B02: nft_table_list_alloc (table.c:425) ==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888) ==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) Fix these leaks and consolidate error handling in the exit path of nft_xtables_config_load Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix out of bound memory copyPablo Neira Ayuso2013-12-301-9/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports an invalid read after a memory block: ==11114== Invalid read of size 8 ==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877) ==11114== by 0x41788E: add_match (nft.c:781) ==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72) ==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945) ==11114== by 0x418ACE: nft_rule_append (nft.c:1000) ==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424) ==11114== by 0x4152DE: do_commandx (xtables.c:1184) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) ==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd ==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==11114== by 0x52448C8: xtables_calloc (xtables.c:272) ==11114== by 0x410AC2: command_default (xshared.c:150) ==11114== by 0x4149A2: do_commandx (xtables.c:1075) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) m->u.match_size also contains the size of the xt_entry_match structure. Fix also the target path which is very similar. Reported-by: Ana Rey Botello <anarey@gmail.com> Tested-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: pass ipt_entry to ->save_firewall hookPablo Neira Ayuso2013-12-301-3/+5
| | | | | | | | | | | | The extension needs the ipt_entry not to crash. Since cs->fw actually points to an union that also contains cs->fw6, just pass cs->fw to make it work. This fixes: -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: batch rule-set updates into one single netlink messagePablo Neira Ayuso2013-12-301-114/+315
| | | | | | | | With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_* functions to support ARPPablo Neira Ayuso2013-12-301-157/+12
| | | | | | | | | | | | This should help to avoid code duplication to support ARP. As a result, we have a common generic infrastructure for IPv4, IPv6 and ARP. This patch removes nft_arp_rule_append and nft_arp_rule_insert, which were very similar to their original nft_rule_append and nft_rule_insert. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_new to support ARPPablo Neira Ayuso2013-12-301-89/+31
| | | | | | | | This patch removes nft_arp_rule_new, which almost a copy and paste of the original nft_rule_new. This patch generalizes the infrastructure to support ARP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_find for ARP, IPv4 and IPv6Pablo Neira Ayuso2013-12-301-180/+12
| | | | | | | | | This patch kills nft_arp_rule_find, which is almost a copy and paste of the original nft_rule_find function. Refactor this function to move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: nft-arp: implements is_same op for ARP familyGiuseppe Longo2013-12-301-0/+31
| | | | | | | | The following patch implements the is_same operation for ARP family needed for searching arp rule. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: bootstrap ARP compatibility layer for nftablesGiuseppe Longo2013-12-301-16/+287
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: skip unset tables on table configuration emulationTomasz Bursztyka2013-12-301-0/+3
| | | | | | | | The ARP family has less tables, so skip iteration once we find a null one. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: allow to reset the counters of an existing ruleTomasz Bursztyka2013-12-301-0/+35
| | | | | | | | | Now that we convert nft rules to native xt command structure, it's easier to reset the counters by replacing the existing rule by a new one with all counters set to zero. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: use xtables_print_numPablo Neira Ayuso2013-12-301-2/+2
| | | | | | So we can kill our own implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: convert rule into a command state structureTomasz Bursztyka2013-12-301-404/+73
| | | | | | | | This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Generalize nft_rule_list() against current familyTomasz Bursztyka2013-12-301-244/+5
| | | | | | | | | | Now, firewall rule printing is done through nft_family_ops .print_firewall function. This moves generic part for ipv4 and ipv6 into nft-shared.c, and enables reusing nft_rule_list() for other family such as ARP which will be useful for arptables compatibility tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Remove useless test on rulenum in nft_rule_list()Tomasz Bursztyka2013-12-301-3/+2
| | | | | | | Rulenum is already handled before the loop, making this test useless. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Make internal rule listing callback more genericTomasz Bursztyka2013-12-301-12/+8
| | | | | | | | This will be useful for reusing nft_rule_list in other tools such as xtables-arptables. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Optimize rule listing when chain and rulenum are providedTomasz Bursztyka2013-12-301-4/+10
| | | | | | | | Thus, we can save some cycles by not dumping the entire chain list and looping on it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Remove useless functionTomasz Bursztyka2013-12-301-27/+0
| | | | | | | Likely to be a leftover from the initial bootstrap. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: load only the tables of the current familyGiuseppe Longo2013-12-301-0/+17
| | | | | | | | | | | This changes nft_xtables_config_load() permit to load only the tables of the current family. [ This patch includes a fix for the configuration parser that I detected while testing this patch --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>