diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-27 23:35:25 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-01-03 14:21:53 +0100 |
| commit | 4756d92e517ae1f7d662c0ed083b54d8dc822e4a (patch) | |
| tree | 5130faa44f2f3e72b257f4d30fd1752749109049 /include | |
| parent | d156fd17ee7ff9a2822d7714e1c8dfe7b6b18f55 (diff) | |
src: listing of stateful objects
This patch allows you to dump existing stateful objects, eg.
# nft list ruleset
table ip filter {
counter test {
packets 64 bytes 1268
}
quota test {
over 1 mbytes used 1268 bytes
}
chain input {
type filter hook input priority 0; policy accept;
quota name test drop
counter name test
}
}
# nft list quotas
table ip filter {
quota test {
over 1 mbytes used 1268 bytes
}
}
# nft list counters
table ip filter {
counter test {
packets 64 bytes 1268
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/mnl.h | 2 | ||||
| -rw-r--r-- | include/netlink.h | 4 | ||||
| -rw-r--r-- | include/rule.h | 51 | ||||
| -rw-r--r-- | include/statement.h | 3 |
4 files changed, 60 insertions, 0 deletions
diff --git a/include/mnl.h b/include/mnl.h index 87db96af..ad036aef 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -86,6 +86,8 @@ int mnl_nft_setelem_batch_flush(struct nftnl_set *nls, unsigned int flags, uint32_t seqnum); int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nftnl_set *nls); +struct nftnl_obj_list *mnl_nft_obj_dump(struct mnl_socket *nf_sock, int family, + const char *table); struct nftnl_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock, uint32_t family); int mnl_nft_event_listener(struct mnl_socket *nf_sock, diff --git a/include/netlink.h b/include/netlink.h index 363b5251..ce577871 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -6,6 +6,7 @@ #include <libnftnl/rule.h> #include <libnftnl/expr.h> #include <libnftnl/set.h> +#include <libnftnl/object.h> #include <linux/netlink.h> #include <linux/netfilter/nf_tables.h> @@ -168,6 +169,9 @@ extern int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h, extern int netlink_flush_setelems(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); +extern int netlink_list_objs(struct netlink_ctx *ctx, const struct handle *h, + const struct location *loc); + extern void netlink_dump_table(const struct nftnl_table *nlt); extern void netlink_dump_chain(const struct nftnl_chain *nlc); extern void netlink_dump_rule(const struct nftnl_rule *nlr); diff --git a/include/rule.h b/include/rule.h index f74630c5..e0f89139 100644 --- a/include/rule.h +++ b/include/rule.h @@ -34,6 +34,7 @@ struct position_spec { * @table: table name * @chain: chain name (chains and rules only) * @set: set name (sets only) + * @obj: stateful object name (stateful object only) * @handle: rule handle (rules only) * @position: rule position (rules only) * @set_id: set ID (sets only) @@ -43,6 +44,7 @@ struct handle { const char *table; const char *chain; const char *set; + const char *obj; struct handle_spec handle; struct position_spec position; uint32_t set_id; @@ -95,6 +97,7 @@ enum table_flags { * @location: location the table was defined at * @chains: chains contained in the table * @sets: sets contained in the table + * @objs: stateful objects contained in the table * @flags: table flags * @refcnt: table reference counter */ @@ -105,6 +108,7 @@ struct table { struct scope scope; struct list_head chains; struct list_head sets; + struct list_head objs; enum table_flags flags; unsigned int refcnt; }; @@ -241,6 +245,45 @@ extern struct set *set_lookup_global(uint32_t family, const char *table, extern void set_print(const struct set *set); extern void set_print_plain(const struct set *s); +#include <statement.h> + +struct counter { + uint64_t packets; + uint64_t bytes; +}; + +struct quota { + uint64_t bytes; + uint64_t used; + uint32_t flags; +}; + +/** + * struct obj - nftables stateful object statement + * + * @list: table set list node + * @location: location the stateful object was defined/declared at + * @handle: counter handle + * @type: type of stateful object + */ +struct obj { + struct list_head list; + struct location location; + struct handle handle; + uint32_t type; + + union { + struct counter counter; + struct quota quota; + }; +}; + +struct obj *obj_alloc(const struct location *loc); +void obj_free(struct obj *obj); +void obj_add_hash(struct obj *obj, struct table *table); +void obj_print(const struct obj *n); +const char *obj_type_name(enum stmt_types type); + /** * enum cmd_ops - command operations * @@ -287,6 +330,10 @@ enum cmd_ops { * @CMD_OBJ_EXPR: expression * @CMD_OBJ_MONITOR: monitor * @CMD_OBJ_EXPORT: export + * @CMD_OBJ_COUNTER: counter + * @CMD_OBJ_COUNTERS: multiple counters + * @CMD_OBJ_QUOTA: quota + * @CMD_OBJ_QUOTAS: multiple quotas */ enum cmd_obj { CMD_OBJ_INVALID, @@ -305,6 +352,10 @@ enum cmd_obj { CMD_OBJ_FLOWTABLES, CMD_OBJ_MAP, CMD_OBJ_MAPS, + CMD_OBJ_COUNTER, + CMD_OBJ_COUNTERS, + CMD_OBJ_QUOTA, + CMD_OBJ_QUOTAS, }; struct export { diff --git a/include/statement.h b/include/statement.h index d317ae36..9d0f601f 100644 --- a/include/statement.h +++ b/include/statement.h @@ -66,6 +66,7 @@ struct limit_stmt { }; extern struct stmt *limit_stmt_alloc(const struct location *loc); +extern void __limit_stmt_print(const struct limit_stmt *limit); struct reject_stmt { struct expr *expr; @@ -301,4 +302,6 @@ extern void stmt_free(struct stmt *stmt); extern void stmt_list_free(struct list_head *list); extern void stmt_print(const struct stmt *stmt); +const char *get_rate(uint64_t byte_rate, uint64_t *rate); + #endif /* NFTABLES_STATEMENT_H */ |