From 0b3161731262d3a8c6110c17fd818af325dbf491 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 10 Dec 2013 17:21:47 +0100 Subject: examples: nft-rule-add: use existing batch infrastructure This patch reworks the existing example to add the rule: nft add rule ip filter input tcp dport 22 counter It uses the existing nfnl batching approach using the generic mnl netlink message batching infrastructure. It also removed the code that uses xtables compat code. Based on original patch by Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nfnetlink.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include') diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 91eebab..336c10c 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h @@ -97,4 +97,9 @@ extern void nfnl_unlock(void); MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) #endif /* __KERNEL__ */ + +/* Reserved control nfnetlink messages */ +#define NFNL_MSG_BATCH_BEGIN NLMSG_MIN_TYPE +#define NFNL_MSG_BATCH_END NLMSG_MIN_TYPE+1 + #endif /* _NFNETLINK_H */ -- cgit v1.2.3 From 2307124fe813e2d2d7e1a7bab09076a5a961e79b Mon Sep 17 00:00:00 2001 From: Tomasz Bursztyka Date: Thu, 12 Dec 2013 15:00:43 +0200 Subject: include: update netlink.h to 3.13 Use kernel header from 3.13-rc upstream kernel, this includes documentation changes that were missing. Signed-off-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nf_tables.h | 89 ++++++++++++++++++++++++++++++++++--- 1 file changed, 84 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 4ec8187..fbfd229 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -32,6 +32,25 @@ enum nft_verdicts { NFT_RETURN = -5, }; +/** + * enum nf_tables_msg_types - nf_tables netlink message types + * + * @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes) + * @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes) + * @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes) + * @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes) + * @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes) + * @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes) + * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes) + * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes) + * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes) + * @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes) + * @NFT_MSG_GETSET: get a set (enum nft_set_attributes) + * @NFT_MSG_DELSET: delete a set (enum nft_set_attributes) + * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes) + * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes) + * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes) + */ enum nf_tables_msg_types { NFT_MSG_NEWTABLE, NFT_MSG_GETTABLE, @@ -90,6 +109,7 @@ enum nft_table_flags { * enum nft_table_attributes - nf_tables table netlink attributes * * @NFTA_TABLE_NAME: name of the table (NLA_STRING) + * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) */ enum nft_table_attributes { NFTA_TABLE_UNSPEC, @@ -103,8 +123,13 @@ enum nft_table_attributes { * enum nft_chain_attributes - nf_tables chain netlink attributes * * @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING) + * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64) * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING) * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes) + * @NFTA_CHAIN_POLICY: numeric policy of the chain (NLA_U32) + * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) + * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) + * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) */ enum nft_chain_attributes { NFTA_CHAIN_UNSPEC, @@ -125,8 +150,10 @@ enum nft_chain_attributes { * * @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING) * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING) - * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U16) + * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64) * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) + * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) + * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) */ enum nft_rule_attributes { NFTA_RULE_UNSPEC, @@ -140,11 +167,22 @@ enum nft_rule_attributes { }; #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) +/** + * enum nft_rule_compat_flags - nf_tables rule compat flags + * + * @NFT_RULE_COMPAT_F_INV: invert the check result + */ enum nft_rule_compat_flags { NFT_RULE_COMPAT_F_INV = (1 << 1), NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, }; +/** + * enum nft_rule_compat_attributes - nf_tables rule compat attributes + * + * @NFTA_RULE_COMPAT_PROTO: numerice value of handled protocol (NLA_U32) + * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32) + */ enum nft_rule_compat_attributes { NFTA_RULE_COMPAT_UNSPEC, NFTA_RULE_COMPAT_PROTO, @@ -342,11 +380,26 @@ enum nft_bitwise_attributes { }; #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) +/** + * enum nft_byteorder_ops - nf_tables byteorder operators + * + * @NFT_BYTEORDER_NTOH: network to host operator + * @NFT_BYTEORDER_HTON: host to network opertaor + */ enum nft_byteorder_ops { NFT_BYTEORDER_NTOH, NFT_BYTEORDER_HTON, }; +/** + * enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes + * + * @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers) + * @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops) + * @NFTA_BYTEORDER_LEN: length of the data (NLA_U32) + * @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4) + */ enum nft_byteorder_attributes { NFTA_BYTEORDER_UNSPEC, NFTA_BYTEORDER_SREG, @@ -358,6 +411,16 @@ enum nft_byteorder_attributes { }; #define NFTA_BYTEORDER_MAX (__NFTA_BYTEORDER_MAX - 1) +/** + * enum nft_cmp_ops - nf_tables relational operator + * + * @NFT_CMP_EQ: equal + * @NFT_CMP_NEQ: not equal + * @NFT_CMP_LT: less than + * @NFT_CMP_LTE: less than or equal to + * @NFT_CMP_GT: greater than + * @NFT_CMP_GTE: greater than or equal to + */ enum nft_cmp_ops { NFT_CMP_EQ, NFT_CMP_NEQ, @@ -383,6 +446,13 @@ enum nft_cmp_attributes { }; #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) +/** + * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes + * + * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING) + * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers) + * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers) + */ enum nft_lookup_attributes { NFTA_LOOKUP_UNSPEC, NFTA_LOOKUP_SET, @@ -423,6 +493,14 @@ enum nft_payload_attributes { }; #define NFTA_PAYLOAD_MAX (__NFTA_PAYLOAD_MAX - 1) +/** + * enum nft_exthdr_attributes - nf_tables IPv6 extension header expression netlink attributes + * + * @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8) + * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32) + * @NFTA_EXTHDR_LEN: extension header length (NLA_U32) + */ enum nft_exthdr_attributes { NFTA_EXTHDR_UNSPEC, NFTA_EXTHDR_DREG, @@ -619,10 +697,11 @@ enum nft_nat_types { * enum nft_nat_attributes - nf_tables nat expression netlink attributes * * @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types) - * @NFTA_NAT_ADDR_MIN: source register of address range start (NLA_U32: nft_registers) - * @NFTA_NAT_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) - * @NFTA_NAT_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) - * @NFTA_NAT_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) + * @NFTA_NAT_FAMILY: NAT family (NLA_U32) + * @NFTA_NAT_REG_ADDR_MIN: source register of address range start (NLA_U32: nft_registers) + * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) + * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) + * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) */ enum nft_nat_attributes { NFTA_NAT_UNSPEC, -- cgit v1.2.3 From e87d2f9ef8a4a298de5514b30ec2d43d3c90a644 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lvaro=20Neira=20Ayuso?= Date: Mon, 6 Jan 2014 00:51:14 +0100 Subject: src: new error reporting approach for XML/JSON parsers I have added a new structure for reporting some errors in parser that we can't cover with errno. In this patch, we have three errors that we can't cover with errno: NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input NFT_PARSE_EMISSINGNODE : Missing node in our input NFT_PARSE_EBADTYPE : Wrong type value in a node Signed-off-by: Alvaro Neira Ayuso Signed-off-by: Pablo Neira Ayuso --- include/libnftables/chain.h | 3 ++- include/libnftables/common.h | 11 +++++++++++ include/libnftables/rule.h | 3 ++- include/libnftables/ruleset.h | 3 ++- include/libnftables/set.h | 6 ++++-- include/libnftables/table.h | 3 ++- 6 files changed, 23 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/include/libnftables/chain.h b/include/libnftables/chain.h index 8b4eab9..dec1a77 100644 --- a/include/libnftables/chain.h +++ b/include/libnftables/chain.h @@ -51,7 +51,8 @@ struct nlmsghdr; void nft_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_chain *t); -int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, const char *data); +int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); int nft_chain_snprintf(char *buf, size_t size, struct nft_chain *t, uint32_t type, uint32_t flags); int nft_chain_fprintf(FILE *fp, struct nft_chain *c, uint32_t type, uint32_t flags); diff --git a/include/libnftables/common.h b/include/libnftables/common.h index 9cd92b2..1ef88ba 100644 --- a/include/libnftables/common.h +++ b/include/libnftables/common.h @@ -1,6 +1,12 @@ #ifndef _LIBNFTABLES_COMMON_H_ #define _LIBNFTABLES_COMMON_H_ +enum { + NFT_PARSE_EBADINPUT = 0, + NFT_PARSE_EMISSINGNODE, + NFT_PARSE_EBADTYPE, +}; + enum nft_output_type { NFT_OUTPUT_DEFAULT = 0, NFT_OUTPUT_XML, @@ -14,7 +20,12 @@ enum nft_parse_type { NFT_PARSE_MAX, }; +struct nft_parse_err; + struct nlmsghdr *nft_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family, uint16_t type, uint32_t seq); +struct nft_parse_err *nft_parse_err_alloc(void); +void nft_parse_err_free(struct nft_parse_err *); +int nft_parse_perror(const char *str, struct nft_parse_err *err); #endif diff --git a/include/libnftables/rule.h b/include/libnftables/rule.h index 86dbc17..1510203 100644 --- a/include/libnftables/rule.h +++ b/include/libnftables/rule.h @@ -47,7 +47,8 @@ struct nlmsghdr; void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *t); -int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, const char *data); +int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); int nft_rule_snprintf(char *buf, size_t size, struct nft_rule *t, uint32_t type, uint32_t flags); int nft_rule_fprintf(FILE *fp, struct nft_rule *r, uint32_t type, uint32_t flags); diff --git a/include/libnftables/ruleset.h b/include/libnftables/ruleset.h index 1ec3059..b523346 100644 --- a/include/libnftables/ruleset.h +++ b/include/libnftables/ruleset.h @@ -30,7 +30,8 @@ void nft_ruleset_attr_unset(struct nft_ruleset *r, uint16_t attr); void nft_ruleset_attr_set(struct nft_ruleset *r, uint16_t attr, void *data); const void *nft_ruleset_attr_get(const struct nft_ruleset *r, uint16_t attr); -int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, const char *data); +int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); int nft_ruleset_snprintf(char *buf, size_t size, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); int nft_ruleset_fprintf(FILE *fp, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); diff --git a/include/libnftables/set.h b/include/libnftables/set.h index 13ac857..9711729 100644 --- a/include/libnftables/set.h +++ b/include/libnftables/set.h @@ -60,7 +60,8 @@ struct nft_set *nft_set_list_iter_cur(struct nft_set_list_iter *iter); struct nft_set *nft_set_list_iter_next(struct nft_set_list_iter *iter); void nft_set_list_iter_destroy(struct nft_set_list_iter *iter); -int nft_set_parse(struct nft_set *s, enum nft_parse_type type, const char *data); +int nft_set_parse(struct nft_set *s, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); /* * Set elements @@ -98,7 +99,8 @@ void nft_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set_elem int nft_set_elem_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set_elem *s); -int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, const char *data); +int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *s, uint32_t type, uint32_t flags); int nft_set_elem_fprintf(FILE *fp, struct nft_set_elem *se, uint32_t type, uint32_t flags); diff --git a/include/libnftables/table.h b/include/libnftables/table.h index be60da9..80f2349 100644 --- a/include/libnftables/table.h +++ b/include/libnftables/table.h @@ -39,7 +39,8 @@ struct nlmsghdr; void nft_table_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_table *t); -int nft_table_parse(struct nft_table *t, enum nft_parse_type type, const char *data); +int nft_table_parse(struct nft_table *t, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); int nft_table_snprintf(char *buf, size_t size, struct nft_table *t, uint32_t type, uint32_t flags); int nft_table_fprintf(FILE *fp, struct nft_table *t, uint32_t type, uint32_t flags); -- cgit v1.2.3 From d34f0c0508f08a84f4351f2a9369e85ccccfe5a0 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Thu, 9 Jan 2014 12:19:12 +0100 Subject: src: add interface to parse from file This patch adds a new API to parse rule-set expressed in XML/JSON from a file. A new enum nft_parse_input type is added for this purpose. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- include/libnftables/chain.h | 2 ++ include/libnftables/rule.h | 2 ++ include/libnftables/ruleset.h | 2 ++ include/libnftables/set.h | 4 ++++ include/libnftables/table.h | 2 ++ 5 files changed, 12 insertions(+) (limited to 'include') diff --git a/include/libnftables/chain.h b/include/libnftables/chain.h index dec1a77..d213bf1 100644 --- a/include/libnftables/chain.h +++ b/include/libnftables/chain.h @@ -53,6 +53,8 @@ void nft_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_chain int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, const char *data, struct nft_parse_err *err); +int nft_chain_parse_file(struct nft_chain *c, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_chain_snprintf(char *buf, size_t size, struct nft_chain *t, uint32_t type, uint32_t flags); int nft_chain_fprintf(FILE *fp, struct nft_chain *c, uint32_t type, uint32_t flags); diff --git a/include/libnftables/rule.h b/include/libnftables/rule.h index 1510203..48b9974 100644 --- a/include/libnftables/rule.h +++ b/include/libnftables/rule.h @@ -49,6 +49,8 @@ void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *t); int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, const char *data, struct nft_parse_err *err); +int nft_rule_parse_file(struct nft_rule *r, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_rule_snprintf(char *buf, size_t size, struct nft_rule *t, uint32_t type, uint32_t flags); int nft_rule_fprintf(FILE *fp, struct nft_rule *r, uint32_t type, uint32_t flags); diff --git a/include/libnftables/ruleset.h b/include/libnftables/ruleset.h index b523346..f916fba 100644 --- a/include/libnftables/ruleset.h +++ b/include/libnftables/ruleset.h @@ -32,6 +32,8 @@ const void *nft_ruleset_attr_get(const struct nft_ruleset *r, uint16_t attr); int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, const char *data, struct nft_parse_err *err); +int nft_ruleset_parse_file(struct nft_ruleset *rs, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_ruleset_snprintf(char *buf, size_t size, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); int nft_ruleset_fprintf(FILE *fp, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); diff --git a/include/libnftables/set.h b/include/libnftables/set.h index 9711729..c4b1ff6 100644 --- a/include/libnftables/set.h +++ b/include/libnftables/set.h @@ -62,6 +62,8 @@ void nft_set_list_iter_destroy(struct nft_set_list_iter *iter); int nft_set_parse(struct nft_set *s, enum nft_parse_type type, const char *data, struct nft_parse_err *err); +int nft_set_parse_file(struct nft_set *s, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); /* * Set elements @@ -101,6 +103,8 @@ int nft_set_elem_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set_elem *s) int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, const char *data, struct nft_parse_err *err); +int nft_set_elem_parse_file(struct nft_set_elem *e, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *s, uint32_t type, uint32_t flags); int nft_set_elem_fprintf(FILE *fp, struct nft_set_elem *se, uint32_t type, uint32_t flags); diff --git a/include/libnftables/table.h b/include/libnftables/table.h index 80f2349..64fbf88 100644 --- a/include/libnftables/table.h +++ b/include/libnftables/table.h @@ -41,6 +41,8 @@ void nft_table_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_table int nft_table_parse(struct nft_table *t, enum nft_parse_type type, const char *data, struct nft_parse_err *err); +int nft_table_parse_file(struct nft_table *t, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_table_snprintf(char *buf, size_t size, struct nft_table *t, uint32_t type, uint32_t flags); int nft_table_fprintf(FILE *fp, struct nft_table *t, uint32_t type, uint32_t flags); -- cgit v1.2.3 From 59e949294f4688bafe44b7def2972987224520c8 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 20 Jan 2014 10:26:57 +0100 Subject: rename library to libnftnl We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso --- include/Makefile.am | 2 +- include/libnftables/Makefile.am | 7 -- include/libnftables/chain.h | 85 ----------------------- include/libnftables/common.h | 31 --------- include/libnftables/expr.h | 150 ---------------------------------------- include/libnftables/rule.h | 91 ------------------------ include/libnftables/ruleset.h | 44 ------------ include/libnftables/set.h | 119 ------------------------------- include/libnftables/table.h | 73 ------------------- include/libnftnl/Makefile.am | 7 ++ include/libnftnl/chain.h | 85 +++++++++++++++++++++++ include/libnftnl/common.h | 31 +++++++++ include/libnftnl/expr.h | 150 ++++++++++++++++++++++++++++++++++++++++ include/libnftnl/rule.h | 91 ++++++++++++++++++++++++ include/libnftnl/ruleset.h | 44 ++++++++++++ include/libnftnl/set.h | 119 +++++++++++++++++++++++++++++++ include/libnftnl/table.h | 73 +++++++++++++++++++ 17 files changed, 601 insertions(+), 601 deletions(-) delete mode 100644 include/libnftables/Makefile.am delete mode 100644 include/libnftables/chain.h delete mode 100644 include/libnftables/common.h delete mode 100644 include/libnftables/expr.h delete mode 100644 include/libnftables/rule.h delete mode 100644 include/libnftables/ruleset.h delete mode 100644 include/libnftables/set.h delete mode 100644 include/libnftables/table.h create mode 100644 include/libnftnl/Makefile.am create mode 100644 include/libnftnl/chain.h create mode 100644 include/libnftnl/common.h create mode 100644 include/libnftnl/expr.h create mode 100644 include/libnftnl/rule.h create mode 100644 include/libnftnl/ruleset.h create mode 100644 include/libnftnl/set.h create mode 100644 include/libnftnl/table.h (limited to 'include') diff --git a/include/Makefile.am b/include/Makefile.am index 10332b7..5976bbd 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -1,3 +1,3 @@ -SUBDIRS = libnftables linux +SUBDIRS = libnftnl linux noinst_HEADERS = linux_list.h diff --git a/include/libnftables/Makefile.am b/include/libnftables/Makefile.am deleted file mode 100644 index a0841d2..0000000 --- a/include/libnftables/Makefile.am +++ /dev/null @@ -1,7 +0,0 @@ -pkginclude_HEADERS = table.h \ - chain.h \ - rule.h \ - expr.h \ - set.h \ - ruleset.h \ - common.h diff --git a/include/libnftables/chain.h b/include/libnftables/chain.h deleted file mode 100644 index d213bf1..0000000 --- a/include/libnftables/chain.h +++ /dev/null @@ -1,85 +0,0 @@ -#ifndef _LIBNFTABLES_CHAIN_H_ -#define _LIBNFTABLES_CHAIN_H_ - -#include -#include -#include -#include - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -struct nft_chain; - -struct nft_chain *nft_chain_alloc(void); -void nft_chain_free(struct nft_chain *); - -enum { - NFT_CHAIN_ATTR_NAME = 0, - NFT_CHAIN_ATTR_FAMILY, - NFT_CHAIN_ATTR_TABLE, - NFT_CHAIN_ATTR_HOOKNUM, - NFT_CHAIN_ATTR_PRIO = 4, - NFT_CHAIN_ATTR_POLICY, - NFT_CHAIN_ATTR_USE, - NFT_CHAIN_ATTR_BYTES, - NFT_CHAIN_ATTR_PACKETS = 8, - NFT_CHAIN_ATTR_HANDLE, - NFT_CHAIN_ATTR_TYPE, -}; - -bool nft_chain_attr_is_set(const struct nft_chain *c, uint16_t attr); -void nft_chain_attr_unset(struct nft_chain *c, uint16_t attr); -void nft_chain_attr_set(struct nft_chain *t, uint16_t attr, const void *data); -void nft_chain_attr_set_u8(struct nft_chain *t, uint16_t attr, uint8_t data); -void nft_chain_attr_set_u32(struct nft_chain *t, uint16_t attr, uint32_t data); -void nft_chain_attr_set_s32(struct nft_chain *t, uint16_t attr, int32_t data); -void nft_chain_attr_set_u64(struct nft_chain *t, uint16_t attr, uint64_t data); -void nft_chain_attr_set_str(struct nft_chain *t, uint16_t attr, const char *str); - -const void *nft_chain_attr_get(struct nft_chain *c, uint16_t attr); -const char *nft_chain_attr_get_str(struct nft_chain *c, uint16_t attr); -uint8_t nft_chain_attr_get_u8(struct nft_chain *c, uint16_t attr); -uint32_t nft_chain_attr_get_u32(struct nft_chain *c, uint16_t attr); -int32_t nft_chain_attr_get_s32(struct nft_chain *c, uint16_t attr); -uint64_t nft_chain_attr_get_u64(struct nft_chain *c, uint16_t attr); - -struct nlmsghdr; - -void nft_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_chain *t); - -int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, - const char *data, struct nft_parse_err *err); -int nft_chain_parse_file(struct nft_chain *c, enum nft_parse_type type, - FILE *fp, struct nft_parse_err *err); -int nft_chain_snprintf(char *buf, size_t size, struct nft_chain *t, uint32_t type, uint32_t flags); -int nft_chain_fprintf(FILE *fp, struct nft_chain *c, uint32_t type, uint32_t flags); - -#define nft_chain_nlmsg_build_hdr nft_nlmsg_build_hdr -int nft_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_chain *t); - -struct nft_chain_list; - -struct nft_chain_list *nft_chain_list_alloc(void); -void nft_chain_list_free(struct nft_chain_list *list); -int nft_chain_list_is_empty(struct nft_chain_list *list); -int nft_chain_list_foreach(struct nft_chain_list *chain_list, int (*cb)(struct nft_chain *t, void *data), void *data); - -void nft_chain_list_add(struct nft_chain *r, struct nft_chain_list *list); -void nft_chain_list_add_tail(struct nft_chain *r, struct nft_chain_list *list); -void nft_chain_list_del(struct nft_chain *c); - -struct nft_chain_list_iter; - -struct nft_chain_list_iter *nft_chain_list_iter_create(struct nft_chain_list *l); -struct nft_chain *nft_chain_list_iter_next(struct nft_chain_list_iter *iter); -void nft_chain_list_iter_destroy(struct nft_chain_list_iter *iter); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* _LIBNFTABLES_CHAIN_H_ */ diff --git a/include/libnftables/common.h b/include/libnftables/common.h deleted file mode 100644 index 1ef88ba..0000000 --- a/include/libnftables/common.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef _LIBNFTABLES_COMMON_H_ -#define _LIBNFTABLES_COMMON_H_ - -enum { - NFT_PARSE_EBADINPUT = 0, - NFT_PARSE_EMISSINGNODE, - NFT_PARSE_EBADTYPE, -}; - -enum nft_output_type { - NFT_OUTPUT_DEFAULT = 0, - NFT_OUTPUT_XML, - NFT_OUTPUT_JSON, -}; - -enum nft_parse_type { - NFT_PARSE_NONE = 0, - NFT_PARSE_XML, - NFT_PARSE_JSON, - NFT_PARSE_MAX, -}; - -struct nft_parse_err; - -struct nlmsghdr *nft_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family, - uint16_t type, uint32_t seq); - -struct nft_parse_err *nft_parse_err_alloc(void); -void nft_parse_err_free(struct nft_parse_err *); -int nft_parse_perror(const char *str, struct nft_parse_err *err); -#endif diff --git a/include/libnftables/expr.h b/include/libnftables/expr.h deleted file mode 100644 index 54de186..0000000 --- a/include/libnftables/expr.h +++ /dev/null @@ -1,150 +0,0 @@ -#ifndef _LIBNFTABLES_RULE_EXPR_H_ -#define _LIBNFTABLES_RULE_EXPR_H_ - -#include -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -struct nft_rule_expr; - -enum { - NFT_RULE_EXPR_ATTR_NAME = 0, - NFT_RULE_EXPR_ATTR_BASE, -}; - -struct nft_rule_expr *nft_rule_expr_alloc(const char *name); -void nft_rule_expr_free(struct nft_rule_expr *expr); - -bool nft_rule_expr_is_set(const struct nft_rule_expr *expr, uint16_t type); -void nft_rule_expr_set(struct nft_rule_expr *expr, uint16_t type, const void *data, uint32_t data_len); -void nft_rule_expr_set_u8(struct nft_rule_expr *expr, uint16_t type, uint8_t data); -void nft_rule_expr_set_u16(struct nft_rule_expr *expr, uint16_t type, uint16_t data); -void nft_rule_expr_set_u32(struct nft_rule_expr *expr, uint16_t type, uint32_t data); -void nft_rule_expr_set_u64(struct nft_rule_expr *expr, uint16_t type, uint64_t data); -void nft_rule_expr_set_str(struct nft_rule_expr *expr, uint16_t type, const char *str); - -const void *nft_rule_expr_get(const struct nft_rule_expr *expr, uint16_t type, uint32_t *data_len); -uint8_t nft_rule_expr_get_u8(const struct nft_rule_expr *expr, uint16_t type); -uint16_t nft_rule_expr_get_u16(const struct nft_rule_expr *expr, uint16_t type); -uint32_t nft_rule_expr_get_u32(const struct nft_rule_expr *expr, uint16_t type); -uint64_t nft_rule_expr_get_u64(const struct nft_rule_expr *expr, uint16_t type); -const char *nft_rule_expr_get_str(const struct nft_rule_expr *expr, uint16_t type); - -struct nlmsghdr; - -void nft_rule_expr_build_payload(struct nlmsghdr *nlh, struct nft_rule_expr *expr); - -int nft_rule_expr_snprintf(char *buf, size_t buflen, struct nft_rule_expr *expr, uint32_t type, uint32_t flags); - -enum { - NFT_EXPR_PAYLOAD_DREG = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_PAYLOAD_BASE, - NFT_EXPR_PAYLOAD_OFFSET, - NFT_EXPR_PAYLOAD_LEN, -}; - -enum { - NFT_EXPR_META_KEY = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_META_DREG, -}; - -enum { - NFT_EXPR_CMP_SREG = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_CMP_OP, - NFT_EXPR_CMP_DATA, -}; - -enum { - NFT_EXPR_IMM_DREG = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_IMM_DATA, - NFT_EXPR_IMM_VERDICT, - NFT_EXPR_IMM_CHAIN, -}; - -enum { - NFT_EXPR_CTR_PACKETS = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_CTR_BYTES, -}; - -enum { - NFT_EXPR_BITWISE_SREG = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_BITWISE_DREG, - NFT_EXPR_BITWISE_LEN, - NFT_EXPR_BITWISE_MASK, - NFT_EXPR_BITWISE_XOR, -}; - -enum { - NFT_EXPR_TG_NAME = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_TG_REV, - NFT_EXPR_TG_INFO, -}; - -enum { - NFT_EXPR_MT_NAME = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_MT_REV, - NFT_EXPR_MT_INFO, -}; - -enum { - NFT_EXPR_NAT_TYPE = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_NAT_FAMILY, - NFT_EXPR_NAT_REG_ADDR_MIN, - NFT_EXPR_NAT_REG_ADDR_MAX, - NFT_EXPR_NAT_REG_PROTO_MIN, - NFT_EXPR_NAT_REG_PROTO_MAX, -}; - -enum { - NFT_EXPR_LOOKUP_SREG = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_LOOKUP_DREG, - NFT_EXPR_LOOKUP_SET, -}; - -enum { - NFT_EXPR_LOG_PREFIX = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_LOG_GROUP, - NFT_EXPR_LOG_SNAPLEN, - NFT_EXPR_LOG_QTHRESHOLD, -}; - -enum { - NFT_EXPR_EXTHDR_DREG = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_EXTHDR_TYPE, - NFT_EXPR_EXTHDR_OFFSET, - NFT_EXPR_EXTHDR_LEN, -}; - -enum { - NFT_EXPR_CT_DREG = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_CT_KEY, - NFT_EXPR_CT_DIR, -}; - -enum { - NFT_EXPR_BYTEORDER_DREG = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_BYTEORDER_SREG, - NFT_EXPR_BYTEORDER_OP, - NFT_EXPR_BYTEORDER_LEN, - NFT_EXPR_BYTEORDER_SIZE, -}; - -enum { - NFT_EXPR_LIMIT_RATE = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_LIMIT_UNIT, -}; - -enum { - NFT_EXPR_REJECT_TYPE = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_REJECT_CODE, -}; - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* _LIBNFTABLES_RULE_EXPR_H_ */ diff --git a/include/libnftables/rule.h b/include/libnftables/rule.h deleted file mode 100644 index 48b9974..0000000 --- a/include/libnftables/rule.h +++ /dev/null @@ -1,91 +0,0 @@ -#ifndef _LIBNFTABLES_RULE_H_ -#define _LIBNFTABLES_RULE_H_ - -#include -#include -#include -#include - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -struct nft_rule; -struct nft_rule_expr; - -struct nft_rule *nft_rule_alloc(void); -void nft_rule_free(struct nft_rule *); - -enum { - NFT_RULE_ATTR_FAMILY = 0, - NFT_RULE_ATTR_TABLE, - NFT_RULE_ATTR_CHAIN, - NFT_RULE_ATTR_HANDLE, - NFT_RULE_ATTR_COMPAT_PROTO, - NFT_RULE_ATTR_COMPAT_FLAGS, - NFT_RULE_ATTR_POSITION, -}; - -void nft_rule_attr_unset(struct nft_rule *r, uint16_t attr); -bool nft_rule_attr_is_set(const struct nft_rule *r, uint16_t attr); -void nft_rule_attr_set(struct nft_rule *r, uint16_t attr, const void *data); -void nft_rule_attr_set_u32(struct nft_rule *r, uint16_t attr, uint32_t val); -void nft_rule_attr_set_u64(struct nft_rule *r, uint16_t attr, uint64_t val); -void nft_rule_attr_set_str(struct nft_rule *r, uint16_t attr, const char *str); - -const void *nft_rule_attr_get(const struct nft_rule *r, uint16_t attr); -const char *nft_rule_attr_get_str(const struct nft_rule *r, uint16_t attr); -uint8_t nft_rule_attr_get_u8(const struct nft_rule *r, uint16_t attr); -uint32_t nft_rule_attr_get_u32(const struct nft_rule *r, uint16_t attr); -uint64_t nft_rule_attr_get_u64(const struct nft_rule *r, uint16_t attr); - -void nft_rule_add_expr(struct nft_rule *r, struct nft_rule_expr *expr); - -struct nlmsghdr; - -void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *t); - -int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, - const char *data, struct nft_parse_err *err); -int nft_rule_parse_file(struct nft_rule *r, enum nft_parse_type type, - FILE *fp, struct nft_parse_err *err); -int nft_rule_snprintf(char *buf, size_t size, struct nft_rule *t, uint32_t type, uint32_t flags); -int nft_rule_fprintf(FILE *fp, struct nft_rule *r, uint32_t type, uint32_t flags); - -#define nft_rule_nlmsg_build_hdr nft_nlmsg_build_hdr -int nft_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_rule *t); - -int nft_rule_expr_foreach(struct nft_rule *r, - int (*cb)(struct nft_rule_expr *e, void *data), - void *data); - -struct nft_rule_expr_iter; - -struct nft_rule_expr_iter *nft_rule_expr_iter_create(struct nft_rule *r); -struct nft_rule_expr *nft_rule_expr_iter_next(struct nft_rule_expr_iter *iter); -void nft_rule_expr_iter_destroy(struct nft_rule_expr_iter *iter); - -struct nft_rule_list; - -struct nft_rule_list *nft_rule_list_alloc(void); -void nft_rule_list_free(struct nft_rule_list *list); -int nft_rule_list_is_empty(struct nft_rule_list *list); -void nft_rule_list_add(struct nft_rule *r, struct nft_rule_list *list); -void nft_rule_list_add_tail(struct nft_rule *r, struct nft_rule_list *list); -void nft_rule_list_del(struct nft_rule *r); -int nft_rule_list_foreach(struct nft_rule_list *rule_list, int (*cb)(struct nft_rule *t, void *data), void *data); - -struct nft_rule_list_iter; - -struct nft_rule_list_iter *nft_rule_list_iter_create(struct nft_rule_list *l); -struct nft_rule *nft_rule_list_iter_cur(struct nft_rule_list_iter *iter); -struct nft_rule *nft_rule_list_iter_next(struct nft_rule_list_iter *iter); -void nft_rule_list_iter_destroy(struct nft_rule_list_iter *iter); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* _LIBNFTABLES_RULE_H_ */ diff --git a/include/libnftables/ruleset.h b/include/libnftables/ruleset.h deleted file mode 100644 index f916fba..0000000 --- a/include/libnftables/ruleset.h +++ /dev/null @@ -1,44 +0,0 @@ -#ifndef _LIBNFTABLES_RULESET_H_ -#define _LIBNFTABLES_RULESET_H_ - -#include - -#include -#include -#include - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -struct nft_ruleset; - -struct nft_ruleset *nft_ruleset_alloc(void); -void nft_ruleset_free(struct nft_ruleset *r); - -enum { - NFT_RULESET_ATTR_TABLELIST = 0, - NFT_RULESET_ATTR_CHAINLIST, - NFT_RULESET_ATTR_SETLIST, - NFT_RULESET_ATTR_RULELIST, -}; - -bool nft_ruleset_attr_is_set(const struct nft_ruleset *r, uint16_t attr); -void nft_ruleset_attr_unset(struct nft_ruleset *r, uint16_t attr); -void nft_ruleset_attr_set(struct nft_ruleset *r, uint16_t attr, void *data); -const void *nft_ruleset_attr_get(const struct nft_ruleset *r, uint16_t attr); - -int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, - const char *data, struct nft_parse_err *err); -int nft_ruleset_parse_file(struct nft_ruleset *rs, enum nft_parse_type type, - FILE *fp, struct nft_parse_err *err); -int nft_ruleset_snprintf(char *buf, size_t size, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); -int nft_ruleset_fprintf(FILE *fp, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* _LIBNFTABLES_RULESET_H_ */ diff --git a/include/libnftables/set.h b/include/libnftables/set.h deleted file mode 100644 index c4b1ff6..0000000 --- a/include/libnftables/set.h +++ /dev/null @@ -1,119 +0,0 @@ -#ifndef _LIBNFTABLES_SET_H_ -#define _LIBNFTABLES_SET_H_ - -#include -#include -#include -#include - -#include - -enum { - NFT_SET_ATTR_TABLE, - NFT_SET_ATTR_NAME, - NFT_SET_ATTR_FLAGS, - NFT_SET_ATTR_KEY_TYPE, - NFT_SET_ATTR_KEY_LEN, - NFT_SET_ATTR_DATA_TYPE, - NFT_SET_ATTR_DATA_LEN, - NFT_SET_ATTR_FAMILY, -}; - -struct nft_set; - -struct nft_set *nft_set_alloc(void); -void nft_set_free(struct nft_set *s); - -bool nft_set_attr_is_set(const struct nft_set *s, uint16_t attr); -void nft_set_attr_unset(struct nft_set *s, uint16_t attr); -void nft_set_attr_set(struct nft_set *s, uint16_t attr, const void *data); -void nft_set_attr_set_u32(struct nft_set *s, uint16_t attr, uint32_t val); -void nft_set_attr_set_str(struct nft_set *s, uint16_t attr, const char *str); - -const void *nft_set_attr_get(struct nft_set *s, uint16_t attr); -const char *nft_set_attr_get_str(struct nft_set *s, uint16_t attr); -uint32_t nft_set_attr_get_u32(struct nft_set *s, uint16_t attr); - -struct nlmsghdr; - -#define nft_set_nlmsg_build_hdr nft_nlmsg_build_hdr -void nft_set_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set *s); -int nft_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s); -int nft_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s); - -int nft_set_snprintf(char *buf, size_t size, struct nft_set *s, uint32_t type, uint32_t flags); -int nft_set_fprintf(FILE *fp, struct nft_set *s, uint32_t type, uint32_t flags); - -struct nft_set_list; - -struct nft_set_list *nft_set_list_alloc(void); -void nft_set_list_free(struct nft_set_list *list); -int nft_set_list_is_empty(struct nft_set_list *list); -void nft_set_list_add(struct nft_set *s, struct nft_set_list *list); -void nft_set_list_add_tail(struct nft_set *s, struct nft_set_list *list); -void nft_set_list_del(struct nft_set *s); -int nft_set_list_foreach(struct nft_set_list *set_list, int (*cb)(struct nft_set *t, void *data), void *data); - -struct nft_set_list_iter; -struct nft_set_list_iter *nft_set_list_iter_create(struct nft_set_list *l); -struct nft_set *nft_set_list_iter_cur(struct nft_set_list_iter *iter); -struct nft_set *nft_set_list_iter_next(struct nft_set_list_iter *iter); -void nft_set_list_iter_destroy(struct nft_set_list_iter *iter); - -int nft_set_parse(struct nft_set *s, enum nft_parse_type type, - const char *data, struct nft_parse_err *err); -int nft_set_parse_file(struct nft_set *s, enum nft_parse_type type, - FILE *fp, struct nft_parse_err *err); - -/* - * Set elements - */ - -enum { - NFT_SET_ELEM_ATTR_FLAGS, - NFT_SET_ELEM_ATTR_KEY, - NFT_SET_ELEM_ATTR_VERDICT, - NFT_SET_ELEM_ATTR_CHAIN, - NFT_SET_ELEM_ATTR_DATA, -}; - -struct nft_set_elem; - -struct nft_set_elem *nft_set_elem_alloc(void); -void nft_set_elem_free(struct nft_set_elem *s); - -void nft_set_elem_add(struct nft_set *s, struct nft_set_elem *elem); - -void nft_set_elem_attr_unset(struct nft_set_elem *s, uint16_t attr); -void nft_set_elem_attr_set(struct nft_set_elem *s, uint16_t attr, const void *data, uint32_t data_len); -void nft_set_elem_attr_set_u32(struct nft_set_elem *s, uint16_t attr, uint32_t val); -void nft_set_elem_attr_set_str(struct nft_set_elem *s, uint16_t attr, const char *str); - -const void *nft_set_elem_attr_get(struct nft_set_elem *s, uint16_t attr, uint32_t *data_len); -const char *nft_set_elem_attr_get_str(struct nft_set_elem *s, uint16_t attr); -uint32_t nft_set_elem_attr_get_u32(struct nft_set_elem *s, uint16_t attr); - -bool nft_set_elem_attr_is_set(const struct nft_set_elem *s, uint16_t attr); - -#define nft_set_elem_nlmsg_build_hdr nft_nlmsg_build_hdr -void nft_set_elems_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set *s); -void nft_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set_elem *e); - -int nft_set_elem_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set_elem *s); - -int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, - const char *data, struct nft_parse_err *err); -int nft_set_elem_parse_file(struct nft_set_elem *e, enum nft_parse_type type, - FILE *fp, struct nft_parse_err *err); -int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *s, uint32_t type, uint32_t flags); -int nft_set_elem_fprintf(FILE *fp, struct nft_set_elem *se, uint32_t type, uint32_t flags); - -int nft_set_elem_foreach(struct nft_set *s, int (*cb)(struct nft_set_elem *e, void *data), void *data); - -struct nft_set_elems_iter; -struct nft_set_elems_iter *nft_set_elems_iter_create(struct nft_set *s); -struct nft_set_elem *nft_set_elems_iter_cur(struct nft_set_elems_iter *iter); -struct nft_set_elem *nft_set_elems_iter_next(struct nft_set_elems_iter *iter); -void nft_set_elems_iter_destroy(struct nft_set_elems_iter *iter); - -#endif /* _LIBNFTABLES_SET_H_ */ diff --git a/include/libnftables/table.h b/include/libnftables/table.h deleted file mode 100644 index 64fbf88..0000000 --- a/include/libnftables/table.h +++ /dev/null @@ -1,73 +0,0 @@ -#ifndef _LIBNFTABLES_TABLE_H_ -#define _LIBNFTABLES_TABLE_H_ - -#include -#include -#include -#include - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -struct nft_table; - -struct nft_table *nft_table_alloc(void); -void nft_table_free(struct nft_table *); - -enum { - NFT_TABLE_ATTR_NAME = 0, - NFT_TABLE_ATTR_FAMILY, - NFT_TABLE_ATTR_FLAGS, -}; - -bool nft_table_attr_is_set(const struct nft_table *t, uint16_t attr); -void nft_table_attr_unset(struct nft_table *t, uint16_t attr); -void nft_table_attr_set(struct nft_table *t, uint16_t attr, const void *data); -const void *nft_table_attr_get(struct nft_table *t, uint16_t attr); - -void nft_table_attr_set_u8(struct nft_table *t, uint16_t attr, uint8_t data); -void nft_table_attr_set_u32(struct nft_table *t, uint16_t attr, uint32_t data); -void nft_table_attr_set_str(struct nft_table *t, uint16_t attr, const char *str); -uint8_t nft_table_attr_get_u8(struct nft_table *t, uint16_t attr); -uint32_t nft_table_attr_get_u32(struct nft_table *t, uint16_t attr); -const char *nft_table_attr_get_str(struct nft_table *t, uint16_t attr); - -struct nlmsghdr; - -void nft_table_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_table *t); - -int nft_table_parse(struct nft_table *t, enum nft_parse_type type, - const char *data, struct nft_parse_err *err); -int nft_table_parse_file(struct nft_table *t, enum nft_parse_type type, - FILE *fp, struct nft_parse_err *err); -int nft_table_snprintf(char *buf, size_t size, struct nft_table *t, uint32_t type, uint32_t flags); -int nft_table_fprintf(FILE *fp, struct nft_table *t, uint32_t type, uint32_t flags); - -#define nft_table_nlmsg_build_hdr nft_nlmsg_build_hdr -int nft_table_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_table *t); - -struct nft_table_list; - -struct nft_table_list *nft_table_list_alloc(void); -void nft_table_list_free(struct nft_table_list *list); -int nft_table_list_is_empty(struct nft_table_list *list); -int nft_table_list_foreach(struct nft_table_list *table_list, int (*cb)(struct nft_table *t, void *data), void *data); - -void nft_table_list_add(struct nft_table *r, struct nft_table_list *list); -void nft_table_list_add_tail(struct nft_table *r, struct nft_table_list *list); -void nft_table_list_del(struct nft_table *r); - -struct nft_table_list_iter; - -struct nft_table_list_iter *nft_table_list_iter_create(struct nft_table_list *l); -struct nft_table *nft_table_list_iter_next(struct nft_table_list_iter *iter); -void nft_table_list_iter_destroy(struct nft_table_list_iter *iter); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* _LIBNFTABLES_TABLE_H_ */ diff --git a/include/libnftnl/Makefile.am b/include/libnftnl/Makefile.am new file mode 100644 index 0000000..a0841d2 --- /dev/null +++ b/include/libnftnl/Makefile.am @@ -0,0 +1,7 @@ +pkginclude_HEADERS = table.h \ + chain.h \ + rule.h \ + expr.h \ + set.h \ + ruleset.h \ + common.h diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h new file mode 100644 index 0000000..66626d8 --- /dev/null +++ b/include/libnftnl/chain.h @@ -0,0 +1,85 @@ +#ifndef _LIBNFTNL_CHAIN_H_ +#define _LIBNFTNL_CHAIN_H_ + +#include +#include +#include +#include + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +struct nft_chain; + +struct nft_chain *nft_chain_alloc(void); +void nft_chain_free(struct nft_chain *); + +enum { + NFT_CHAIN_ATTR_NAME = 0, + NFT_CHAIN_ATTR_FAMILY, + NFT_CHAIN_ATTR_TABLE, + NFT_CHAIN_ATTR_HOOKNUM, + NFT_CHAIN_ATTR_PRIO = 4, + NFT_CHAIN_ATTR_POLICY, + NFT_CHAIN_ATTR_USE, + NFT_CHAIN_ATTR_BYTES, + NFT_CHAIN_ATTR_PACKETS = 8, + NFT_CHAIN_ATTR_HANDLE, + NFT_CHAIN_ATTR_TYPE, +}; + +bool nft_chain_attr_is_set(const struct nft_chain *c, uint16_t attr); +void nft_chain_attr_unset(struct nft_chain *c, uint16_t attr); +void nft_chain_attr_set(struct nft_chain *t, uint16_t attr, const void *data); +void nft_chain_attr_set_u8(struct nft_chain *t, uint16_t attr, uint8_t data); +void nft_chain_attr_set_u32(struct nft_chain *t, uint16_t attr, uint32_t data); +void nft_chain_attr_set_s32(struct nft_chain *t, uint16_t attr, int32_t data); +void nft_chain_attr_set_u64(struct nft_chain *t, uint16_t attr, uint64_t data); +void nft_chain_attr_set_str(struct nft_chain *t, uint16_t attr, const char *str); + +const void *nft_chain_attr_get(struct nft_chain *c, uint16_t attr); +const char *nft_chain_attr_get_str(struct nft_chain *c, uint16_t attr); +uint8_t nft_chain_attr_get_u8(struct nft_chain *c, uint16_t attr); +uint32_t nft_chain_attr_get_u32(struct nft_chain *c, uint16_t attr); +int32_t nft_chain_attr_get_s32(struct nft_chain *c, uint16_t attr); +uint64_t nft_chain_attr_get_u64(struct nft_chain *c, uint16_t attr); + +struct nlmsghdr; + +void nft_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_chain *t); + +int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_chain_parse_file(struct nft_chain *c, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); +int nft_chain_snprintf(char *buf, size_t size, struct nft_chain *t, uint32_t type, uint32_t flags); +int nft_chain_fprintf(FILE *fp, struct nft_chain *c, uint32_t type, uint32_t flags); + +#define nft_chain_nlmsg_build_hdr nft_nlmsg_build_hdr +int nft_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_chain *t); + +struct nft_chain_list; + +struct nft_chain_list *nft_chain_list_alloc(void); +void nft_chain_list_free(struct nft_chain_list *list); +int nft_chain_list_is_empty(struct nft_chain_list *list); +int nft_chain_list_foreach(struct nft_chain_list *chain_list, int (*cb)(struct nft_chain *t, void *data), void *data); + +void nft_chain_list_add(struct nft_chain *r, struct nft_chain_list *list); +void nft_chain_list_add_tail(struct nft_chain *r, struct nft_chain_list *list); +void nft_chain_list_del(struct nft_chain *c); + +struct nft_chain_list_iter; + +struct nft_chain_list_iter *nft_chain_list_iter_create(struct nft_chain_list *l); +struct nft_chain *nft_chain_list_iter_next(struct nft_chain_list_iter *iter); +void nft_chain_list_iter_destroy(struct nft_chain_list_iter *iter); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* _LIBNFTNL_CHAIN_H_ */ diff --git a/include/libnftnl/common.h b/include/libnftnl/common.h new file mode 100644 index 0000000..9d18b2b --- /dev/null +++ b/include/libnftnl/common.h @@ -0,0 +1,31 @@ +#ifndef _LIBNFTNL_COMMON_H_ +#define _LIBNFTNL_COMMON_H_ + +enum { + NFT_PARSE_EBADINPUT = 0, + NFT_PARSE_EMISSINGNODE, + NFT_PARSE_EBADTYPE, +}; + +enum nft_output_type { + NFT_OUTPUT_DEFAULT = 0, + NFT_OUTPUT_XML, + NFT_OUTPUT_JSON, +}; + +enum nft_parse_type { + NFT_PARSE_NONE = 0, + NFT_PARSE_XML, + NFT_PARSE_JSON, + NFT_PARSE_MAX, +}; + +struct nft_parse_err; + +struct nlmsghdr *nft_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family, + uint16_t type, uint32_t seq); + +struct nft_parse_err *nft_parse_err_alloc(void); +void nft_parse_err_free(struct nft_parse_err *); +int nft_parse_perror(const char *str, struct nft_parse_err *err); +#endif diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h new file mode 100644 index 0000000..a2f44df --- /dev/null +++ b/include/libnftnl/expr.h @@ -0,0 +1,150 @@ +#ifndef _LIBNFTNL_RULE_EXPR_H_ +#define _LIBNFTNL_RULE_EXPR_H_ + +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +struct nft_rule_expr; + +enum { + NFT_RULE_EXPR_ATTR_NAME = 0, + NFT_RULE_EXPR_ATTR_BASE, +}; + +struct nft_rule_expr *nft_rule_expr_alloc(const char *name); +void nft_rule_expr_free(struct nft_rule_expr *expr); + +bool nft_rule_expr_is_set(const struct nft_rule_expr *expr, uint16_t type); +void nft_rule_expr_set(struct nft_rule_expr *expr, uint16_t type, const void *data, uint32_t data_len); +void nft_rule_expr_set_u8(struct nft_rule_expr *expr, uint16_t type, uint8_t data); +void nft_rule_expr_set_u16(struct nft_rule_expr *expr, uint16_t type, uint16_t data); +void nft_rule_expr_set_u32(struct nft_rule_expr *expr, uint16_t type, uint32_t data); +void nft_rule_expr_set_u64(struct nft_rule_expr *expr, uint16_t type, uint64_t data); +void nft_rule_expr_set_str(struct nft_rule_expr *expr, uint16_t type, const char *str); + +const void *nft_rule_expr_get(const struct nft_rule_expr *expr, uint16_t type, uint32_t *data_len); +uint8_t nft_rule_expr_get_u8(const struct nft_rule_expr *expr, uint16_t type); +uint16_t nft_rule_expr_get_u16(const struct nft_rule_expr *expr, uint16_t type); +uint32_t nft_rule_expr_get_u32(const struct nft_rule_expr *expr, uint16_t type); +uint64_t nft_rule_expr_get_u64(const struct nft_rule_expr *expr, uint16_t type); +const char *nft_rule_expr_get_str(const struct nft_rule_expr *expr, uint16_t type); + +struct nlmsghdr; + +void nft_rule_expr_build_payload(struct nlmsghdr *nlh, struct nft_rule_expr *expr); + +int nft_rule_expr_snprintf(char *buf, size_t buflen, struct nft_rule_expr *expr, uint32_t type, uint32_t flags); + +enum { + NFT_EXPR_PAYLOAD_DREG = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_PAYLOAD_BASE, + NFT_EXPR_PAYLOAD_OFFSET, + NFT_EXPR_PAYLOAD_LEN, +}; + +enum { + NFT_EXPR_META_KEY = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_META_DREG, +}; + +enum { + NFT_EXPR_CMP_SREG = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_CMP_OP, + NFT_EXPR_CMP_DATA, +}; + +enum { + NFT_EXPR_IMM_DREG = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_IMM_DATA, + NFT_EXPR_IMM_VERDICT, + NFT_EXPR_IMM_CHAIN, +}; + +enum { + NFT_EXPR_CTR_PACKETS = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_CTR_BYTES, +}; + +enum { + NFT_EXPR_BITWISE_SREG = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_BITWISE_DREG, + NFT_EXPR_BITWISE_LEN, + NFT_EXPR_BITWISE_MASK, + NFT_EXPR_BITWISE_XOR, +}; + +enum { + NFT_EXPR_TG_NAME = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_TG_REV, + NFT_EXPR_TG_INFO, +}; + +enum { + NFT_EXPR_MT_NAME = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_MT_REV, + NFT_EXPR_MT_INFO, +}; + +enum { + NFT_EXPR_NAT_TYPE = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_NAT_FAMILY, + NFT_EXPR_NAT_REG_ADDR_MIN, + NFT_EXPR_NAT_REG_ADDR_MAX, + NFT_EXPR_NAT_REG_PROTO_MIN, + NFT_EXPR_NAT_REG_PROTO_MAX, +}; + +enum { + NFT_EXPR_LOOKUP_SREG = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_LOOKUP_DREG, + NFT_EXPR_LOOKUP_SET, +}; + +enum { + NFT_EXPR_LOG_PREFIX = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_LOG_GROUP, + NFT_EXPR_LOG_SNAPLEN, + NFT_EXPR_LOG_QTHRESHOLD, +}; + +enum { + NFT_EXPR_EXTHDR_DREG = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_EXTHDR_TYPE, + NFT_EXPR_EXTHDR_OFFSET, + NFT_EXPR_EXTHDR_LEN, +}; + +enum { + NFT_EXPR_CT_DREG = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_CT_KEY, + NFT_EXPR_CT_DIR, +}; + +enum { + NFT_EXPR_BYTEORDER_DREG = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_BYTEORDER_SREG, + NFT_EXPR_BYTEORDER_OP, + NFT_EXPR_BYTEORDER_LEN, + NFT_EXPR_BYTEORDER_SIZE, +}; + +enum { + NFT_EXPR_LIMIT_RATE = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_LIMIT_UNIT, +}; + +enum { + NFT_EXPR_REJECT_TYPE = NFT_RULE_EXPR_ATTR_BASE, + NFT_EXPR_REJECT_CODE, +}; + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* _LIBNFTNL_RULE_EXPR_H_ */ diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h new file mode 100644 index 0000000..4033d3c --- /dev/null +++ b/include/libnftnl/rule.h @@ -0,0 +1,91 @@ +#ifndef _LIBNFTNL_RULE_H_ +#define _LIBNFTNL_RULE_H_ + +#include +#include +#include +#include + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +struct nft_rule; +struct nft_rule_expr; + +struct nft_rule *nft_rule_alloc(void); +void nft_rule_free(struct nft_rule *); + +enum { + NFT_RULE_ATTR_FAMILY = 0, + NFT_RULE_ATTR_TABLE, + NFT_RULE_ATTR_CHAIN, + NFT_RULE_ATTR_HANDLE, + NFT_RULE_ATTR_COMPAT_PROTO, + NFT_RULE_ATTR_COMPAT_FLAGS, + NFT_RULE_ATTR_POSITION, +}; + +void nft_rule_attr_unset(struct nft_rule *r, uint16_t attr); +bool nft_rule_attr_is_set(const struct nft_rule *r, uint16_t attr); +void nft_rule_attr_set(struct nft_rule *r, uint16_t attr, const void *data); +void nft_rule_attr_set_u32(struct nft_rule *r, uint16_t attr, uint32_t val); +void nft_rule_attr_set_u64(struct nft_rule *r, uint16_t attr, uint64_t val); +void nft_rule_attr_set_str(struct nft_rule *r, uint16_t attr, const char *str); + +const void *nft_rule_attr_get(const struct nft_rule *r, uint16_t attr); +const char *nft_rule_attr_get_str(const struct nft_rule *r, uint16_t attr); +uint8_t nft_rule_attr_get_u8(const struct nft_rule *r, uint16_t attr); +uint32_t nft_rule_attr_get_u32(const struct nft_rule *r, uint16_t attr); +uint64_t nft_rule_attr_get_u64(const struct nft_rule *r, uint16_t attr); + +void nft_rule_add_expr(struct nft_rule *r, struct nft_rule_expr *expr); + +struct nlmsghdr; + +void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *t); + +int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_rule_parse_file(struct nft_rule *r, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); +int nft_rule_snprintf(char *buf, size_t size, struct nft_rule *t, uint32_t type, uint32_t flags); +int nft_rule_fprintf(FILE *fp, struct nft_rule *r, uint32_t type, uint32_t flags); + +#define nft_rule_nlmsg_build_hdr nft_nlmsg_build_hdr +int nft_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_rule *t); + +int nft_rule_expr_foreach(struct nft_rule *r, + int (*cb)(struct nft_rule_expr *e, void *data), + void *data); + +struct nft_rule_expr_iter; + +struct nft_rule_expr_iter *nft_rule_expr_iter_create(struct nft_rule *r); +struct nft_rule_expr *nft_rule_expr_iter_next(struct nft_rule_expr_iter *iter); +void nft_rule_expr_iter_destroy(struct nft_rule_expr_iter *iter); + +struct nft_rule_list; + +struct nft_rule_list *nft_rule_list_alloc(void); +void nft_rule_list_free(struct nft_rule_list *list); +int nft_rule_list_is_empty(struct nft_rule_list *list); +void nft_rule_list_add(struct nft_rule *r, struct nft_rule_list *list); +void nft_rule_list_add_tail(struct nft_rule *r, struct nft_rule_list *list); +void nft_rule_list_del(struct nft_rule *r); +int nft_rule_list_foreach(struct nft_rule_list *rule_list, int (*cb)(struct nft_rule *t, void *data), void *data); + +struct nft_rule_list_iter; + +struct nft_rule_list_iter *nft_rule_list_iter_create(struct nft_rule_list *l); +struct nft_rule *nft_rule_list_iter_cur(struct nft_rule_list_iter *iter); +struct nft_rule *nft_rule_list_iter_next(struct nft_rule_list_iter *iter); +void nft_rule_list_iter_destroy(struct nft_rule_list_iter *iter); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* _LIBNFTNL_RULE_H_ */ diff --git a/include/libnftnl/ruleset.h b/include/libnftnl/ruleset.h new file mode 100644 index 0000000..6f89110 --- /dev/null +++ b/include/libnftnl/ruleset.h @@ -0,0 +1,44 @@ +#ifndef _LIBNFTNL_RULESET_H_ +#define _LIBNFTNL_RULESET_H_ + +#include + +#include +#include +#include + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +struct nft_ruleset; + +struct nft_ruleset *nft_ruleset_alloc(void); +void nft_ruleset_free(struct nft_ruleset *r); + +enum { + NFT_RULESET_ATTR_TABLELIST = 0, + NFT_RULESET_ATTR_CHAINLIST, + NFT_RULESET_ATTR_SETLIST, + NFT_RULESET_ATTR_RULELIST, +}; + +bool nft_ruleset_attr_is_set(const struct nft_ruleset *r, uint16_t attr); +void nft_ruleset_attr_unset(struct nft_ruleset *r, uint16_t attr); +void nft_ruleset_attr_set(struct nft_ruleset *r, uint16_t attr, void *data); +const void *nft_ruleset_attr_get(const struct nft_ruleset *r, uint16_t attr); + +int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_ruleset_parse_file(struct nft_ruleset *rs, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); +int nft_ruleset_snprintf(char *buf, size_t size, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); +int nft_ruleset_fprintf(FILE *fp, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* _LIBNFTNL_RULESET_H_ */ diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h new file mode 100644 index 0000000..7fa9fb2 --- /dev/null +++ b/include/libnftnl/set.h @@ -0,0 +1,119 @@ +#ifndef _LIBNFTNL_SET_H_ +#define _LIBNFTNL_SET_H_ + +#include +#include +#include +#include + +#include + +enum { + NFT_SET_ATTR_TABLE, + NFT_SET_ATTR_NAME, + NFT_SET_ATTR_FLAGS, + NFT_SET_ATTR_KEY_TYPE, + NFT_SET_ATTR_KEY_LEN, + NFT_SET_ATTR_DATA_TYPE, + NFT_SET_ATTR_DATA_LEN, + NFT_SET_ATTR_FAMILY, +}; + +struct nft_set; + +struct nft_set *nft_set_alloc(void); +void nft_set_free(struct nft_set *s); + +bool nft_set_attr_is_set(const struct nft_set *s, uint16_t attr); +void nft_set_attr_unset(struct nft_set *s, uint16_t attr); +void nft_set_attr_set(struct nft_set *s, uint16_t attr, const void *data); +void nft_set_attr_set_u32(struct nft_set *s, uint16_t attr, uint32_t val); +void nft_set_attr_set_str(struct nft_set *s, uint16_t attr, const char *str); + +const void *nft_set_attr_get(struct nft_set *s, uint16_t attr); +const char *nft_set_attr_get_str(struct nft_set *s, uint16_t attr); +uint32_t nft_set_attr_get_u32(struct nft_set *s, uint16_t attr); + +struct nlmsghdr; + +#define nft_set_nlmsg_build_hdr nft_nlmsg_build_hdr +void nft_set_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set *s); +int nft_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s); +int nft_set_elems_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s); + +int nft_set_snprintf(char *buf, size_t size, struct nft_set *s, uint32_t type, uint32_t flags); +int nft_set_fprintf(FILE *fp, struct nft_set *s, uint32_t type, uint32_t flags); + +struct nft_set_list; + +struct nft_set_list *nft_set_list_alloc(void); +void nft_set_list_free(struct nft_set_list *list); +int nft_set_list_is_empty(struct nft_set_list *list); +void nft_set_list_add(struct nft_set *s, struct nft_set_list *list); +void nft_set_list_add_tail(struct nft_set *s, struct nft_set_list *list); +void nft_set_list_del(struct nft_set *s); +int nft_set_list_foreach(struct nft_set_list *set_list, int (*cb)(struct nft_set *t, void *data), void *data); + +struct nft_set_list_iter; +struct nft_set_list_iter *nft_set_list_iter_create(struct nft_set_list *l); +struct nft_set *nft_set_list_iter_cur(struct nft_set_list_iter *iter); +struct nft_set *nft_set_list_iter_next(struct nft_set_list_iter *iter); +void nft_set_list_iter_destroy(struct nft_set_list_iter *iter); + +int nft_set_parse(struct nft_set *s, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_set_parse_file(struct nft_set *s, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); + +/* + * Set elements + */ + +enum { + NFT_SET_ELEM_ATTR_FLAGS, + NFT_SET_ELEM_ATTR_KEY, + NFT_SET_ELEM_ATTR_VERDICT, + NFT_SET_ELEM_ATTR_CHAIN, + NFT_SET_ELEM_ATTR_DATA, +}; + +struct nft_set_elem; + +struct nft_set_elem *nft_set_elem_alloc(void); +void nft_set_elem_free(struct nft_set_elem *s); + +void nft_set_elem_add(struct nft_set *s, struct nft_set_elem *elem); + +void nft_set_elem_attr_unset(struct nft_set_elem *s, uint16_t attr); +void nft_set_elem_attr_set(struct nft_set_elem *s, uint16_t attr, const void *data, uint32_t data_len); +void nft_set_elem_attr_set_u32(struct nft_set_elem *s, uint16_t attr, uint32_t val); +void nft_set_elem_attr_set_str(struct nft_set_elem *s, uint16_t attr, const char *str); + +const void *nft_set_elem_attr_get(struct nft_set_elem *s, uint16_t attr, uint32_t *data_len); +const char *nft_set_elem_attr_get_str(struct nft_set_elem *s, uint16_t attr); +uint32_t nft_set_elem_attr_get_u32(struct nft_set_elem *s, uint16_t attr); + +bool nft_set_elem_attr_is_set(const struct nft_set_elem *s, uint16_t attr); + +#define nft_set_elem_nlmsg_build_hdr nft_nlmsg_build_hdr +void nft_set_elems_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set *s); +void nft_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set_elem *e); + +int nft_set_elem_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set_elem *s); + +int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_set_elem_parse_file(struct nft_set_elem *e, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); +int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *s, uint32_t type, uint32_t flags); +int nft_set_elem_fprintf(FILE *fp, struct nft_set_elem *se, uint32_t type, uint32_t flags); + +int nft_set_elem_foreach(struct nft_set *s, int (*cb)(struct nft_set_elem *e, void *data), void *data); + +struct nft_set_elems_iter; +struct nft_set_elems_iter *nft_set_elems_iter_create(struct nft_set *s); +struct nft_set_elem *nft_set_elems_iter_cur(struct nft_set_elems_iter *iter); +struct nft_set_elem *nft_set_elems_iter_next(struct nft_set_elems_iter *iter); +void nft_set_elems_iter_destroy(struct nft_set_elems_iter *iter); + +#endif /* _LIBNFTNL_SET_H_ */ diff --git a/include/libnftnl/table.h b/include/libnftnl/table.h new file mode 100644 index 0000000..22a8c1b --- /dev/null +++ b/include/libnftnl/table.h @@ -0,0 +1,73 @@ +#ifndef _LIBNFTNL_TABLE_H_ +#define _LIBNFTNL_TABLE_H_ + +#include +#include +#include +#include + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +struct nft_table; + +struct nft_table *nft_table_alloc(void); +void nft_table_free(struct nft_table *); + +enum { + NFT_TABLE_ATTR_NAME = 0, + NFT_TABLE_ATTR_FAMILY, + NFT_TABLE_ATTR_FLAGS, +}; + +bool nft_table_attr_is_set(const struct nft_table *t, uint16_t attr); +void nft_table_attr_unset(struct nft_table *t, uint16_t attr); +void nft_table_attr_set(struct nft_table *t, uint16_t attr, const void *data); +const void *nft_table_attr_get(struct nft_table *t, uint16_t attr); + +void nft_table_attr_set_u8(struct nft_table *t, uint16_t attr, uint8_t data); +void nft_table_attr_set_u32(struct nft_table *t, uint16_t attr, uint32_t data); +void nft_table_attr_set_str(struct nft_table *t, uint16_t attr, const char *str); +uint8_t nft_table_attr_get_u8(struct nft_table *t, uint16_t attr); +uint32_t nft_table_attr_get_u32(struct nft_table *t, uint16_t attr); +const char *nft_table_attr_get_str(struct nft_table *t, uint16_t attr); + +struct nlmsghdr; + +void nft_table_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_table *t); + +int nft_table_parse(struct nft_table *t, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_table_parse_file(struct nft_table *t, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); +int nft_table_snprintf(char *buf, size_t size, struct nft_table *t, uint32_t type, uint32_t flags); +int nft_table_fprintf(FILE *fp, struct nft_table *t, uint32_t type, uint32_t flags); + +#define nft_table_nlmsg_build_hdr nft_nlmsg_build_hdr +int nft_table_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_table *t); + +struct nft_table_list; + +struct nft_table_list *nft_table_list_alloc(void); +void nft_table_list_free(struct nft_table_list *list); +int nft_table_list_is_empty(struct nft_table_list *list); +int nft_table_list_foreach(struct nft_table_list *table_list, int (*cb)(struct nft_table *t, void *data), void *data); + +void nft_table_list_add(struct nft_table *r, struct nft_table_list *list); +void nft_table_list_add_tail(struct nft_table *r, struct nft_table_list *list); +void nft_table_list_del(struct nft_table *r); + +struct nft_table_list_iter; + +struct nft_table_list_iter *nft_table_list_iter_create(struct nft_table_list *l); +struct nft_table *nft_table_list_iter_next(struct nft_table_list_iter *iter); +void nft_table_list_iter_destroy(struct nft_table_list_iter *iter); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* _LIBNFTNL_TABLE_H_ */ -- cgit v1.2.3 From 058c5a728fbaae840be96d4450cd9e1eea51ca52 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 21 Jan 2014 00:52:02 +0100 Subject: build: resolve compile error involving XT_EXTENSION_MAXNAMELEN 2.6.32 headers in /usr/include/linux again. Ship a copy of x_tables.h from Linux 3.11. Signed-off-by: Jan Engelhardt Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/x_tables.h | 185 +++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 include/linux/netfilter/x_tables.h (limited to 'include') diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h new file mode 100644 index 0000000..4120970 --- /dev/null +++ b/include/linux/netfilter/x_tables.h @@ -0,0 +1,185 @@ +#ifndef _X_TABLES_H +#define _X_TABLES_H +#include +#include + +#define XT_FUNCTION_MAXNAMELEN 30 +#define XT_EXTENSION_MAXNAMELEN 29 +#define XT_TABLE_MAXNAMELEN 32 + +struct xt_entry_match { + union { + struct { + __u16 match_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 match_size; + + /* Used inside the kernel */ + struct xt_match *match; + } kernel; + + /* Total length */ + __u16 match_size; + } u; + + unsigned char data[0]; +}; + +struct xt_entry_target { + union { + struct { + __u16 target_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 target_size; + + /* Used inside the kernel */ + struct xt_target *target; + } kernel; + + /* Total length */ + __u16 target_size; + } u; + + unsigned char data[0]; +}; + +#define XT_TARGET_INIT(__name, __size) \ +{ \ + .target.u.user = { \ + .target_size = XT_ALIGN(__size), \ + .name = __name, \ + }, \ +} + +struct xt_standard_target { + struct xt_entry_target target; + int verdict; +}; + +struct xt_error_target { + struct xt_entry_target target; + char errorname[XT_FUNCTION_MAXNAMELEN]; +}; + +/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision + * kernel supports, if >= revision. */ +struct xt_get_revision { + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; +}; + +/* CONTINUE verdict for targets */ +#define XT_CONTINUE 0xFFFFFFFF + +/* For standard target */ +#define XT_RETURN (-NF_REPEAT - 1) + +/* this is a dummy structure to find out the alignment requirement for a struct + * containing all the fundamental data types that are used in ipt_entry, + * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my + * personal pleasure to remove it -HW + */ +struct _xt_align { + __u8 u8; + __u16 u16; + __u32 u32; + __u64 u64; +}; + +#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) + +/* Standard return verdict, or do jump. */ +#define XT_STANDARD_TARGET "" +/* Error verdict. */ +#define XT_ERROR_TARGET "ERROR" + +#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) +#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) + +struct xt_counters { + __u64 pcnt, bcnt; /* Packet and byte counters */ +}; + +/* The argument to IPT_SO_ADD_COUNTERS. */ +struct xt_counters_info { + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + unsigned int num_counters; + + /* The counters (actually `number' of these). */ + struct xt_counters counters[0]; +}; + +#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ + +/* fn returns 0 to continue iteration */ +#define XT_MATCH_ITERATE(type, e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct xt_entry_match *__m; \ + \ + for (__i = sizeof(type); \ + __i < (e)->target_offset; \ + __i += __m->u.match_size) { \ + __m = (void *)e + __i; \ + \ + __ret = fn(__m , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ +({ \ + unsigned int __i, __n; \ + int __ret = 0; \ + type *__entry; \ + \ + for (__i = 0, __n = 0; __i < (size); \ + __i += __entry->next_offset, __n++) { \ + __entry = (void *)(entries) + __i; \ + if (__n < n) \ + continue; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ + XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) + + +/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ +#define xt_entry_foreach(pos, ehead, esize) \ + for ((pos) = (typeof(pos))(ehead); \ + (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ + (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) + +/* can only be xt_entry_match, so no use of typeof here */ +#define xt_ematch_foreach(pos, entry) \ + for ((pos) = (struct xt_entry_match *)entry->elems; \ + (pos) < (struct xt_entry_match *)((char *)(entry) + \ + (entry)->target_offset); \ + (pos) = (struct xt_entry_match *)((char *)(pos) + \ + (pos)->u.match_size)) + + +#endif /* _X_TABLES_H */ -- cgit v1.2.3 From a4a59b37ffce3b351ce6ddcfa3d964f23e4fb891 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Tue, 21 Jan 2014 13:08:32 +0100 Subject: include: add stdint.h to common.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes: /usr/local/include/libnftnl/common.h:25:49: error: unknown type name ‘uint16_t’ /usr/local/include/libnftnl/common.h:25:63: error: unknown type name ‘uint16_t’ /usr/local/include/libnftnl/common.h:26:10: error: unknown type name ‘uint16_t’ /usr/local/include/libnftnl/common.h:26:25: error: unknown type name ‘uint32_t’ Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/common.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include') diff --git a/include/libnftnl/common.h b/include/libnftnl/common.h index 9d18b2b..f0c20f0 100644 --- a/include/libnftnl/common.h +++ b/include/libnftnl/common.h @@ -1,6 +1,8 @@ #ifndef _LIBNFTNL_COMMON_H_ #define _LIBNFTNL_COMMON_H_ +#include + enum { NFT_PARSE_EBADINPUT = 0, NFT_PARSE_EMISSINGNODE, -- cgit v1.2.3 From 076fd1e66e7f1bc3b2bd91f3efb84080da26fb9c Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 22 Jan 2014 12:55:04 +0100 Subject: include: add cached copy of linux/kernel.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes the following compilation warning when compiling with old kernel headers. CC expr/target.lo expr/target.c: In function ‘nft_rule_expr_target_build’: expr/target.c:127: warning: implicit declaration of function ‘__ALIGN_KERNEL’ Signed-off-by: Pablo Neira Ayuso --- include/linux/kernel.h | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 include/linux/kernel.h (limited to 'include') diff --git a/include/linux/kernel.h b/include/linux/kernel.h new file mode 100644 index 0000000..d4c59f6 --- /dev/null +++ b/include/linux/kernel.h @@ -0,0 +1,29 @@ +#ifndef _LINUX_KERNEL_H +#define _LINUX_KERNEL_H + +/* + * 'kernel.h' contains some often-used function prototypes etc + */ +#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1) +#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask)) + + +#define SI_LOAD_SHIFT 16 +struct sysinfo { + long uptime; /* Seconds since boot */ + unsigned long loads[3]; /* 1, 5, and 15 minute load averages */ + unsigned long totalram; /* Total usable main memory size */ + unsigned long freeram; /* Available memory size */ + unsigned long sharedram; /* Amount of shared memory */ + unsigned long bufferram; /* Memory used by buffers */ + unsigned long totalswap; /* Total swap space size */ + unsigned long freeswap; /* swap space still available */ + unsigned short procs; /* Number of current processes */ + unsigned short pad; /* explicit padding for m68k */ + unsigned long totalhigh; /* Total high memory size */ + unsigned long freehigh; /* Available high memory size */ + unsigned int mem_unit; /* Memory unit size in bytes */ + char _f[20-2*sizeof(long)-sizeof(int)]; /* Padding: libc5 uses this.. */ +}; + +#endif -- cgit v1.2.3