diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-18 08:43:23 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-03-05 16:30:15 +0100 |
commit | 92911b362e9067a9a335ac1a63e15119fb69a47d (patch) | |
tree | 74dba6877734feb8a1900b469b76bb1dffc13421 /include | |
parent | db0697ce7f6020b525cee072e7c0c85512daabda (diff) |
src: add support to add flowtables
This patch allows you to create flowtable:
# nft add table x
# nft add flowtable x m { hook ingress priority 10\; devices = { eth0, wlan0 }\; }
You have to specify hook and priority. So far, only the ingress hook is
supported. The priority represents where this flowtable is placed in the
ingress hook, which is registered to the devices that the user
specifies.
You can also use the 'create' command instead to bail out in case that
there is an existing flowtable with this name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/expression.h | 2 | ||||
-rw-r--r-- | include/mnl.h | 4 | ||||
-rw-r--r-- | include/netlink.h | 4 | ||||
-rw-r--r-- | include/rule.h | 7 |
4 files changed, 17 insertions, 0 deletions
diff --git a/include/expression.h b/include/expression.h index 7b9b6229..6f4edbf5 100644 --- a/include/expression.h +++ b/include/expression.h @@ -416,6 +416,8 @@ extern struct expr *prefix_expr_alloc(const struct location *loc, extern struct expr *range_expr_alloc(const struct location *loc, struct expr *low, struct expr *high); +extern struct expr *compound_expr_alloc(const struct location *loc, + const struct expr_ops *ops); extern void compound_expr_add(struct expr *compound, struct expr *expr); extern void compound_expr_remove(struct expr *compound, struct expr *expr); extern void list_expr_sort(struct list_head *head); diff --git a/include/mnl.h b/include/mnl.h index 4475e7f8..470b2978 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -92,6 +92,10 @@ int mnl_nft_obj_batch_del(struct nftnl_obj *nln, struct nftnl_batch *batch, struct nftnl_flowtable_list * mnl_nft_flowtable_dump(struct netlink_ctx *ctx, int family, const char *table); +int mnl_nft_flowtable_batch_add(struct nftnl_flowtable *flo, + struct nftnl_batch *batch, unsigned int flags, + uint32_t seqnum); + struct nftnl_ruleset *mnl_nft_ruleset_dump(struct netlink_ctx *ctx, uint32_t family); int mnl_nft_event_listener(struct mnl_socket *nf_sock, unsigned int debug_mask, diff --git a/include/netlink.h b/include/netlink.h index 387eb9d8..41fd55f9 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -7,6 +7,7 @@ #include <libnftnl/expr.h> #include <libnftnl/set.h> #include <libnftnl/object.h> +#include <libnftnl/flowtable.h> #include <linux/netlink.h> #include <linux/netfilter/nf_tables.h> @@ -182,6 +183,9 @@ extern int netlink_delete_obj(struct netlink_ctx *ctx, const struct handle *h, extern int netlink_list_flowtables(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); +extern int netlink_add_flowtable(struct netlink_ctx *ctx, + const struct handle *h, struct flowtable *ft, + uint32_t flags); extern void netlink_dump_chain(const struct nftnl_chain *nlc, struct netlink_ctx *ctx); diff --git a/include/rule.h b/include/rule.h index 33bb24fa..262814ea 100644 --- a/include/rule.h +++ b/include/rule.h @@ -326,10 +326,13 @@ uint32_t obj_type_to_cmd(uint32_t type); struct flowtable { struct list_head list; struct handle handle; + struct scope scope; struct location location; + const char * hookstr; unsigned int hooknum; int priority; const char **dev_array; + struct expr *dev_expr; int dev_array_len; unsigned int refcnt; }; @@ -387,6 +390,8 @@ enum cmd_ops { * @CMD_OBJ_CHAIN: chain * @CMD_OBJ_CHAINS: multiple chains * @CMD_OBJ_TABLE: table + * @CMD_OBJ_FLOWTABLE: flowtable + * @CMD_OBJ_FLOWTABLES: flowtables * @CMD_OBJ_RULESET: ruleset * @CMD_OBJ_EXPR: expression * @CMD_OBJ_MONITOR: monitor @@ -426,6 +431,7 @@ enum cmd_obj { CMD_OBJ_CT_HELPERS, CMD_OBJ_LIMIT, CMD_OBJ_LIMITS, + CMD_OBJ_FLOWTABLE, CMD_OBJ_FLOWTABLES, }; @@ -485,6 +491,7 @@ struct cmd { struct rule *rule; struct chain *chain; struct table *table; + struct flowtable *flowtable; struct monitor *monitor; struct markup *markup; struct obj *object; |