From a7f1e208cdf9c6392c99d3c52764701d004bdde7 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 6 Jan 2020 13:20:13 +0100 Subject: nft: split parsing from netlink commands This patch updates the parser to generate a list of command objects. This list of commands is then transformed to a list of netlink jobs. This new command object stores the rule using the nftnl representation via nft_rule_new(). To reduce the number of updates in this patch, the nft_*_rule_find() functions have been updated to restore the native representation to skip the update of the rule comparison code. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Phil Sutter --- iptables/nft-cmd.h | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 iptables/nft-cmd.h (limited to 'iptables/nft-cmd.h') diff --git a/iptables/nft-cmd.h b/iptables/nft-cmd.h new file mode 100644 index 00000000..33ee766a --- /dev/null +++ b/iptables/nft-cmd.h @@ -0,0 +1,78 @@ +#ifndef _NFT_CMD_H_ +#define _NFT_CMD_H_ + +#include +#include +#include "nft.h" + +struct nftnl_rule; + +struct nft_cmd { + struct list_head head; + int command; + const char *table; + const char *chain; + const char *jumpto; + int rulenum; + bool verbose; + unsigned int format; + struct { + struct nftnl_rule *rule; + } obj; + const char *policy; + struct xt_counters counters; + const char *rename; + int counters_save; +}; + +struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + const char *table, const char *chain, + struct iptables_command_state *state, + int rulenum, bool verbose); +void nft_cmd_free(struct nft_cmd *cmd); + +int nft_cmd_rule_append(struct nft_handle *h, const char *chain, + const char *table, struct iptables_command_state *state, + void *ref, bool verbose); +int nft_cmd_rule_insert(struct nft_handle *h, const char *chain, + const char *table, struct iptables_command_state *state, + int rulenum, bool verbose); +int nft_cmd_rule_delete(struct nft_handle *h, const char *chain, + const char *table, struct iptables_command_state *state, + bool verbose); +int nft_cmd_rule_delete_num(struct nft_handle *h, const char *chain, + const char *table, int rulenum, bool verbose); +int nft_cmd_rule_flush(struct nft_handle *h, const char *chain, + const char *table, bool verbose); +int nft_cmd_zero_counters(struct nft_handle *h, const char *chain, + const char *table, bool verbose); +int nft_cmd_chain_user_add(struct nft_handle *h, const char *chain, + const char *table); +int nft_cmd_chain_user_del(struct nft_handle *h, const char *chain, + const char *table, bool verbose); +int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain, + const char *table, bool verbose); +int nft_cmd_rule_list(struct nft_handle *h, const char *chain, + const char *table, int rulenum, unsigned int format); +int nft_cmd_rule_check(struct nft_handle *h, const char *chain, + const char *table, void *data, bool verbose); +int nft_cmd_chain_set(struct nft_handle *h, const char *table, + const char *chain, const char *policy, + const struct xt_counters *counters); +int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain, + const char *table, const char *newname); +int nft_cmd_rule_replace(struct nft_handle *h, const char *chain, + const char *table, void *data, int rulenum, + bool verbose); +int nft_cmd_table_flush(struct nft_handle *h, const char *table); +int nft_cmd_chain_restore(struct nft_handle *h, const char *chain, + const char *table); +int nft_cmd_rule_zero_counters(struct nft_handle *h, const char *chain, + const char *table, int rulenum); +int nft_cmd_rule_list_save(struct nft_handle *h, const char *chain, + const char *table, int rulenum, int counters); +int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table, + const char *chain, const char *policy); +void nft_cmd_table_new(struct nft_handle *h, const char *table); + +#endif /* _NFT_CMD_H_ */ -- cgit v1.2.3