summaryrefslogtreecommitdiffstats
path: root/src/fib.c
Commit message (Collapse)AuthorAgeFilesLines
* src: expr: remove expr_ops from struct exprFlorian Westphal2019-02-081-2/+2
| | | | | | | | size of struct expr changes from 144 to 128 bytes on x86_64. This doesn't look like much, but large rulesets can have tens of thousands of expressions (each set element is represented by an expression). Signed-off-by: Florian Westphal <fw@strlen.de>
* libnftables: Implement JSON output supportPhil Sutter2018-05-111-0/+1
| | | | | | | | | | | | Although technically there already is support for JSON output via 'nft export json' command, it is hardly useable since it exports all the gory details of nftables VM. Also, libnftables has no control over what is exported since the content comes directly from libnftnl. Instead, implement JSON format support for regular 'nft list' commands. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Make some functions globally accessiblePhil Sutter2018-05-111-1/+1
| | | | | | | | | | | | | | | This removes static flag and adds header prototype for the following functions: * must_print_eq_op() from src/expression.c * fib_result_str() from src/fib.c * set_policy2str() and chain_policy2str from src/rule.c In fib.h, include linux/netfilter/nf_tables.h to make sure enum nft_fib_result is known when including this file. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of printfPhil Sutter2017-09-291-11/+12
| | | | | | | | | | | | | | | | | This patch introduces nft_print()/nft_gmp_print() functions which have to be used instead of printf to output information that were previously send to stdout. These functions print to a FILE pointer defined in struct output_ctx. It is set by calling: | old_fp = nft_ctx_set_output(ctx, new_fp); Having an application-defined FILE pointer is actually quite flexible: Using fmemopen() or even fopencookie(), an application gains full control over what is printed and where it should go to. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Remove datatype_register().Varsha Rao2017-06-301-6/+1
| | | | | | | | Remove datatype_register() function and its calling __init functions. Add arguments of datatype_register() function to datatype array. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Pass stateless, numeric, ip2name and handle variables as structure members.Varsha Rao2017-06-181-1/+1
| | | | | | | | | | | | | | | | | libnftables library will be created soon. So declare numeric_output, stateless_output, ip2name_output and handle_output as members of structure output_ctx, instead of global variables. Rename these variables as following, numeric_output -> numeric stateless_output -> stateless ip2name_output -> ip2name handle_output -> handle Also add struct output_ctx *octx as member of struct netlink_ctx. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fib: Support existence checkPhil Sutter2017-03-131-1/+4
| | | | | | | | | | | | | | | | | This allows to check whether a FIB entry exists for a given packet by comparing the expression with a boolean keyword like so: | fib daddr oif exists The implementation requires introduction of a generic expression flag EXPR_F_BOOLEAN which allows relational expression to signal it's LHS that a boolean comparison is being done (indicated by boolean type on RHS). In contrast to exthdr existence checks, fib expression can't know this in beforehand because the LHS syntax is absolutely identical to a non-boolean comparison. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: Show the base which pre-defined constants are displayedElise Lennion2016-12-201-0/+1
| | | | | | | | | | so the user know how we express it. The base was added to all symbol tables, which are associated with datatype->sym_tbl, so they are displayed in the right base. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fib expressionFlorian Westphal2016-10-281-0/+144
This adds the 'fib' expression which can be used to obtain the output interface from the route table based on either source or destination address of a packet. This can be used to e.g. add reverse path filtering: # drop if not coming from the same interface packet # arrived on # nft add rule x prerouting fib saddr . iif oif eq 0 drop # accept only if from eth0 # nft add rule x prerouting fib saddr . iif oif eq "eth0" accept # accept if from any valid interface # nft add rule x prerouting fib saddr oif accept Querying of address type is also supported. This can be used to e.g. only accept packets to addresses configured in the same interface: # fib daddr . iif type local Its also possible to use mark and verdict map, e.g.: # nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : drop, unicast : accept } Signed-off-by: Florian Westphal <fw@strlen.de>