From 6d085b22a8b5165406b5727ccf21a91ac5b97136 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 20 Feb 2021 16:18:03 +0100 Subject: table: support for the table owner flag Add new flag to allow userspace process to own tables: Tables that have an owner can only be updated/destroyed by the owner. The table is destroyed either if the owner process calls nft_ctx_free() or owner process is terminated (implicit table release). The ruleset listing includes the program name that owns the table: nft> list ruleset table ip x { # progname nft flags owner chain y { type filter hook input priority filter; policy accept; counter packets 1 bytes 309 } } Original code to pretty print the netlink portID to program name has been extracted from the conntrack userspace utility. Signed-off-by: Pablo Neira Ayuso --- src/rule.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'src/rule.c') diff --git a/src/rule.c b/src/rule.c index d22ab500..acb10f65 100644 --- a/src/rule.c +++ b/src/rule.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include @@ -1407,6 +1408,7 @@ struct table *table_lookup_fuzzy(const struct handle *h, static const char *table_flags_name[TABLE_FLAGS_MAX] = { "dormant", + "owner", }; const char *table_flag_name(uint32_t flag) @@ -1451,8 +1453,13 @@ static void table_print(const struct table *table, struct output_ctx *octx) const char *family = family2str(table->handle.family); nft_print(octx, "table %s %s {", family, table->handle.table.name); + if (nft_output_handle(octx) || table->flags & TABLE_F_OWNER) + nft_print(octx, " #"); if (nft_output_handle(octx)) - nft_print(octx, " # handle %" PRIu64, table->handle.handle.id); + nft_print(octx, " handle %" PRIu64, table->handle.handle.id); + if (table->flags & TABLE_F_OWNER) + nft_print(octx, " progname %s", get_progname(table->owner)); + nft_print(octx, "\n"); table_print_flags(table, &delim, octx); -- cgit v1.2.3