diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-13 16:38:33 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-24 11:50:00 +0200 |
| commit | aae836a7aa628af4d4d5dd97d0eefa898e8f5245 (patch) | |
| tree | 0a5999838de7e19bba5c2bfb7172fec8d70c2da5 /include | |
| parent | f171d1cf8a6530fe0ac204d4a6520fe0e2a70da4 (diff) | |
src: use libnftables
This patch migrates nft to use the libnftables library, that is used
by the iptables over nftables compat utility as well. Most of the
conversion was pretty straight forward. Some small significant changes
happened in the handling of set element and immediate data abstraction
that libnl provides. libnftables is a bit more granular since it splits
the struct nfnl_nft_data into three attributes: verdict, chain and plain
data (used in maps).
I have added a new file src/mnl.c that contains the low level netlink
communication that now resides in nftables source tree instead of
the library. This should help to implement the batching support using
libmnl in follow up patches.
I also spent some significant amount of time running my tests to make
sure that we don't increase the number of bugs that we already have
(I plan to provide a list of those that I have detected and diagnosed,
so anyone else can help us to fix them).
As a side effect, this change should also prepare the ground for
JSON and XML support anytime soon.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/mnl.h | 43 | ||||
| -rw-r--r-- | include/netlink.h | 67 | ||||
| -rw-r--r-- | include/nftables.h | 2 |
3 files changed, 87 insertions, 25 deletions
diff --git a/include/mnl.h b/include/mnl.h new file mode 100644 index 00000000..bd244898 --- /dev/null +++ b/include/mnl.h @@ -0,0 +1,43 @@ +#ifndef _NFTABLES_MNL_H_ +#define _NFTABLES_MNL_H_ + +int mnl_nft_rule_add(struct mnl_socket *nf_sock, struct nft_rule *r, + unsigned int flags); +int mnl_nft_rule_delete(struct mnl_socket *nf_sock, struct nft_rule *r, + unsigned int flags); +struct nft_rule_list *mnl_nft_rule_dump(struct mnl_socket *nf_sock, + int family); + +int mnl_nft_chain_add(struct mnl_socket *nf_sock, struct nft_chain *nlc, + unsigned int flags); +int mnl_nft_chain_delete(struct mnl_socket *nf_sock, struct nft_chain *nlc, + unsigned int flags); +struct nft_chain_list *mnl_nft_chain_dump(struct mnl_socket *nf_sock, + int family); +int mnl_nft_chain_get(struct mnl_socket *nf_sock, struct nft_chain *nlc, + unsigned int flags); + +int mnl_nft_table_add(struct mnl_socket *nf_sock, struct nft_table *nlt, + unsigned int flags); +int mnl_nft_table_delete(struct mnl_socket *nf_sock, struct nft_table *nlt, + unsigned int flags); +struct nft_table_list *mnl_nft_table_dump(struct mnl_socket *nf_sock, + int family); +int mnl_nft_table_get(struct mnl_socket *nf_sock, struct nft_table *nlt, + unsigned int flags); + +int mnl_nft_set_add(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags); +int mnl_nft_set_delete(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags); +struct nft_set_list *mnl_nft_set_dump(struct mnl_socket *nf_sock, int family, + const char *table); +int mnl_nft_set_get(struct mnl_socket *nf_sock, struct nft_set *nls); + +int mnl_nft_setelem_add(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags); +int mnl_nft_setelem_delete(struct mnl_socket *nf_sock, struct nft_set *nls, + unsigned int flags); +int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nft_set *nls); + +#endif /* _NFTABLES_MNL_H_ */ diff --git a/include/netlink.h b/include/netlink.h index ccbb872c..19574f02 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -1,13 +1,14 @@ #ifndef NFTABLES_NETLINK_H #define NFTABLES_NETLINK_H -#include <netlink/netfilter/netfilter.h> -#include <netlink/netfilter/nft_table.h> -#include <netlink/netfilter/nft_chain.h> -#include <netlink/netfilter/nft_rule.h> -#include <netlink/netfilter/nft_expr.h> -#include <netlink/netfilter/nft_data.h> -#include <netlink/object.h> +#include <libnftables/table.h> +#include <libnftables/chain.h> +#include <libnftables/rule.h> +#include <libnftables/expr.h> +#include <libnftables/set.h> + +#include <linux/netlink.h> +#include <linux/netfilter/nf_tables.h> #include <rule.h> @@ -17,45 +18,57 @@ * @msgs: message queue * @list: list of parsed rules/chains/tables * @set: current set + * @data: pointer to pass data to callback */ struct netlink_ctx { struct list_head *msgs; struct list_head list; struct set *set; + const void *data; }; -extern void netlink_dump_object(struct nl_object *obj); +extern struct nft_table *alloc_nft_table(const struct handle *h); +extern struct nft_chain *alloc_nft_chain(const struct handle *h); +extern struct nft_rule *alloc_nft_rule(const struct handle *h); +extern struct nft_rule_expr *alloc_nft_expr(const char *name); +extern struct nft_set *alloc_nft_set(const struct handle *h); -extern struct nfnl_nft_table *alloc_nft_table(const struct handle *h); -extern struct nfnl_nft_chain *alloc_nft_chain(const struct handle *h); -extern struct nfnl_nft_rule *alloc_nft_rule(const struct handle *h); -extern struct nfnl_nft_expr *alloc_nft_expr(int (*init)(struct nfnl_nft_expr *)); -extern struct nfnl_nft_set *alloc_nft_set(const struct handle *h); -extern struct nfnl_nft_data *alloc_nft_data(const void *data, unsigned int len); +struct nft_data_linearize { + size_t len; + uint32_t value[4]; + char chain[NFT_CHAIN_MAXNAMELEN]; + int verdict; +}; -extern struct nfnl_nft_data *netlink_gen_data(const struct expr *expr); -extern struct nfnl_nft_data *netlink_gen_raw_data(const mpz_t value, - enum byteorder byteorder, - unsigned int len); +struct nft_data_delinearize { + size_t len; + const uint32_t *value; + const char *chain; + int verdict; +}; + +extern void netlink_gen_data(const struct expr *expr, + struct nft_data_linearize *data); +extern void netlink_gen_raw_data(const mpz_t value, enum byteorder byteorder, + unsigned int len, + struct nft_data_linearize *data); extern struct expr *netlink_alloc_value(const struct location *loc, - const struct nfnl_nft_data *nld); + const struct nft_data_delinearize *nld); extern struct expr *netlink_alloc_data(const struct location *loc, - const struct nfnl_nft_data *nld, + const struct nft_data_delinearize *nld, enum nft_registers dreg); extern int netlink_linearize_rule(struct netlink_ctx *ctx, - struct nfnl_nft_rule *nlr, + struct nft_rule *nlr, const struct rule *rule); extern struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx, - const struct nl_object *obj); + const struct nft_rule *r); extern int netlink_add_rule(struct netlink_ctx *ctx, const struct handle *h, const struct rule *rule, uint32_t flags); extern int netlink_delete_rule(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); -extern int netlink_get_rule(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); extern int netlink_add_chain(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, @@ -103,4 +116,10 @@ extern int netlink_delete_setelems(struct netlink_ctx *ctx, const struct handle extern int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, struct set *set); +extern void netlink_dump_table(struct nft_table *nlt); +extern void netlink_dump_chain(struct nft_chain *nlc); +extern void netlink_dump_rule(struct nft_rule *nlr); +extern void netlink_dump_expr(struct nft_rule_expr *nle); +extern void netlink_dump_set(struct nft_set *nls); + #endif /* NFTABLES_NETLINK_H */ diff --git a/include/nftables.h b/include/nftables.h index ff91d934..ec21d37f 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -50,7 +50,7 @@ struct location { unsigned int last_column; }; struct { - struct nl_object *nl_obj; + void *nle; }; }; }; |