| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
This function releases the ruleset objects attached in the parse context
structure, ie. struct nft_parse_ctx.
Moreover, this patch updates the nft_parse_ruleset_file to use it.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this example, we can parse the objects in the ruleset and create the
netlink message with the action associated. For example:
- Flush ruleset
- Add, delete or flush tables/chains
- Add, delete sets
- Add, delete set elements
- Add, delete, replace or prepend rules
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The libmnl helper returns a pointer where to start putting the rule data.
Reported-by: Ian Bishop <ian@pace7.com>
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=983
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We should point to the batch buffer as returned by the libmnl helper.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Batching is needed in current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Let's create a single code example with XML/JSON support.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
| |
Let's add support for current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Merge the two examples in just one. An input argument choose the format to use.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The generation object currently only contains the uint32_t that
indicates the generation ID. I could have just add the API to return
the uint32_t ID instead, but I think this API is easier to extend
without adding new APIs.
We can probably include meaningful statistics in the generation
message in the future without much hassle.
This patch also extends examples/nft-events.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add batching support so this code example works with current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This new function parses the input arguments and generates the nft_table.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Adds batching support to this code example, so it works with current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This fucntion parses the command line options and creates the nft_table object.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add batching support to operate with recent kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Merge the two examples in one. An input argument choose the format to use.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add batching support to operate with current kernels.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Merge the two examples in one. Use an input argument to choose the
format to parse.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Chains are included in the batch since 3.16. Add support to delete
chains dependending on the available interface.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This function parses the command line options and creates the nft_chain
object.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Chains are included in the batch since 3.16. Add support for adding
the chains dependending on the available interface.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This function parses the command line options and it creates the
nft_chain object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
It uses the existing nfnl batching approach using the generic mnl
netlink message batching infrastructure.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
# ./nft-events xml
<event><type>new</type><chain><name>xxx</name><handle>9</handle><bytes>0</bytes><packets>0</packets><table>test</table><family>ip</family></chain></event>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's use the new event wrappers in the events example.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Complete nft-events example by adding a basic set & set_elem event
notification.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This example doesn't exist anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Removed this code because with that we have a strange
output. Example:
we have a rule with handle 4 and we execute
nft-rule-del ip filter input 4
Output: unknown filter input 4 0
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Merged the example for inserting rules and fixed for using
the correct header.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Fix the example for deleting rules. Before this patch,
the program tried to delete the rule without using
the correct header.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We have to check if mnl_attr_parse() returns an error, which means that it
failed to validate and retrieve the attributes.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
The nft_mnl_batch_talk() is overly complicated for a simple example
that just adds one single rule. Simplify this to prepare the merge
of nft-rule-insert, which looks very similar.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch includes changes to adapt this branch to the library
rename that happened in the master branch.
Conflicts:
src/Makefile.am
src/expr/cmp.c
src/expr/ct.c
src/expr/data_reg.c
src/expr/meta.c
tests/jsonfiles/01-table.json
tests/jsonfiles/02-table.json
tests/jsonfiles/64-ruleset.json
tests/xmlfiles/01-table.xml
tests/xmlfiles/02-table.xml
|
| | |
| |
| |
| |
| |
| | |
We plan to use this library name for the higher layer library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I have added a new structure for reporting some errors in parser
that we can't cover with errno.
In this patch, we have three errors that we can't cover with errno:
NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input
NFT_PARSE_EMISSINGNODE : Missing node in our input
NFT_PARSE_EBADTYPE : Wrong type value in a node
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch reworks the existing example to add the rule:
nft add rule ip filter input tcp dport 22 counter
It uses the existing nfnl batching approach using the generic mnl
netlink message batching infrastructure. It also removed the code
that uses xtables compat code.
Based on original patch by Arturo Borrero Gonzalez.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This example prints the ruleset, using the ruleset API of nftables.
The kernel patch c9c8e48 ("netfilter: nf_tables: dump sets in all existing
families") is required.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |/
|
|
|
|
|
|
| |
Other nftables objects are allowed to be dumped with NFPROTO_UNSPEC.
With sets is also possible since kernel patch c9c8e48 ("netfilter: nf_tables:
dump sets in all existing families").
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Unify parse and output types that are redundant to all
existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT]
are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML].
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Likewise other nftables objects, this patch allows you to dump
the sets per family.
This is possible since kernel changes (netfilter: nf_tables: allow
to dump all existing sets), we can get the full list of sets per
family.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
To obtain any table, chain and rule.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
|
| |
|
|
|
|
|
| |
I have added the parameter family in the example nft-rule-get.
Signed-off-by: Alvaro Neira Ayuso Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This program can insert a rule after a rule given by
its handle.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So far, it was only possible to create base chains. This patch
allows you to create custom chains as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
So far, it was restricted to AF_INET.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
While at it, convert all examples to use NFPROTO_*.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thus, automodule loading was not working.
While at it, apply not so relevant comestic cleanups and fix some
inconsistencies between examples.
* Fix copyright header, this is code heavily based on existing
nft-*-add examples.
* Remove unrequired extern struct nft_table definition.
* Make sure we close file descriptor once we don't need it anymore.
* Remove unrequired casting.
* Remove comment that provides nothing interesting.
I considered a patch to address each on those was too much burden.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
