diff options
Diffstat (limited to 'examples')
40 files changed, 6889 insertions, 0 deletions
diff --git a/examples/Makefile.am b/examples/Makefile.am new file mode 100644 index 0000000..db9164d --- /dev/null +++ b/examples/Makefile.am @@ -0,0 +1,154 @@ +include $(top_srcdir)/Make_global.am + +check_PROGRAMS = nft-table-add \ + nft-table-upd \ + nft-table-del \ + nft-table-get \ + nft-chain-add \ + nft-chain-del \ + nft-chain-get \ + nft-rule-add \ + nft-rule-del \ + nft-rule-get \ + nft-events \ + nft-set-add \ + nft-set-get \ + nft-set-del \ + nft-map-add \ + nft-set-elem-add \ + nft-set-elem-get \ + nft-set-elem-del \ + nft-obj-add \ + nft-obj-get \ + nft-obj-del \ + nft-ct-timeout-add \ + nft-ct-timeout-get \ + nft-ct-timeout-del \ + nft-flowtable-add \ + nft-flowtable-del \ + nft-flowtable-get \ + nft-ruleset-get \ + nft-compat-get \ + nft-ct-expectation-add \ + nft-ct-expectation-del \ + nft-ct-expectation-get \ + nft-ct-helper-add \ + nft-ct-helper-get \ + nft-ct-helper-del \ + nft-rule-ct-helper-add \ + nft-rule-ct-expectation-add \ + nft-rule-ct-timeout-add + +nft_table_add_SOURCES = nft-table-add.c +nft_table_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_table_upd_SOURCES = nft-table-upd.c +nft_table_upd_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_table_del_SOURCES = nft-table-del.c +nft_table_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_table_get_SOURCES = nft-table-get.c +nft_table_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_chain_add_SOURCES = nft-chain-add.c +nft_chain_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_chain_del_SOURCES = nft-chain-del.c +nft_chain_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_chain_get_SOURCES = nft-chain-get.c +nft_chain_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_rule_add_SOURCES = nft-rule-add.c +nft_rule_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_rule_del_SOURCES = nft-rule-del.c +nft_rule_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_rule_get_SOURCES = nft-rule-get.c +nft_rule_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_events_SOURCES = nft-events.c +nft_events_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_set_add_SOURCES = nft-set-add.c +nft_set_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_set_del_SOURCES = nft-set-del.c +nft_set_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_set_get_SOURCES = nft-set-get.c +nft_set_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_map_add_SOURCES = nft-map-add.c +nft_map_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_set_elem_add_SOURCES = nft-set-elem-add.c +nft_set_elem_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_set_elem_del_SOURCES = nft-set-elem-del.c +nft_set_elem_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_set_elem_get_SOURCES = nft-set-elem-get.c +nft_set_elem_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_obj_add_SOURCES = nft-obj-add.c +nft_obj_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_obj_del_SOURCES = nft-obj-del.c +nft_obj_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_obj_get_SOURCES = nft-obj-get.c +nft_obj_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_timeout_add_SOURCES = nft-ct-timeout-add.c +nft_ct_timeout_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_timeout_get_SOURCES = nft-ct-timeout-get.c +nft_ct_timeout_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_timeout_del_SOURCES = nft-ct-timeout-del.c +nft_ct_timeout_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_flowtable_add_SOURCES = nft-flowtable-add.c +nft_flowtable_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_flowtable_del_SOURCES = nft-flowtable-del.c +nft_flowtable_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_flowtable_get_SOURCES = nft-flowtable-get.c +nft_flowtable_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ruleset_get_SOURCES = nft-ruleset-get.c +nft_ruleset_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_compat_get_SOURCES = nft-compat-get.c +nft_compat_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_expectation_add_SOURCES = nft-ct-expectation-add.c +nft_ct_expectation_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_expectation_del_SOURCES = nft-ct-expectation-del.c +nft_ct_expectation_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_expectation_get_SOURCES = nft-ct-expectation-get.c +nft_ct_expectation_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_helper_add_SOURCES = nft-ct-helper-add.c +nft_ct_helper_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_helper_get_SOURCES = nft-ct-helper-get.c +nft_ct_helper_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_ct_helper_del_SOURCES = nft-ct-helper-del.c +nft_ct_helper_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_rule_ct_helper_add_SOURCES = nft-rule-ct-helper-add.c +nft_rule_ct_helper_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_rule_ct_expectation_add_SOURCES = nft-rule-ct-expectation-add.c +nft_rule_ct_expectation_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} + +nft_rule_ct_timeout_add_SOURCES = nft-rule-ct-timeout-add.c +nft_rule_ct_timeout_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} diff --git a/examples/Makefile.in b/examples/Makefile.in new file mode 100644 index 0000000..2228bb4 --- /dev/null +++ b/examples/Makefile.in @@ -0,0 +1,1183 @@ +# Makefile.in generated by automake 1.16.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +check_PROGRAMS = nft-table-add$(EXEEXT) nft-table-upd$(EXEEXT) \ + nft-table-del$(EXEEXT) nft-table-get$(EXEEXT) \ + nft-chain-add$(EXEEXT) nft-chain-del$(EXEEXT) \ + nft-chain-get$(EXEEXT) nft-rule-add$(EXEEXT) \ + nft-rule-del$(EXEEXT) nft-rule-get$(EXEEXT) \ + nft-events$(EXEEXT) nft-set-add$(EXEEXT) nft-set-get$(EXEEXT) \ + nft-set-del$(EXEEXT) nft-map-add$(EXEEXT) \ + nft-set-elem-add$(EXEEXT) nft-set-elem-get$(EXEEXT) \ + nft-set-elem-del$(EXEEXT) nft-obj-add$(EXEEXT) \ + nft-obj-get$(EXEEXT) nft-obj-del$(EXEEXT) \ + nft-ct-timeout-add$(EXEEXT) nft-ct-timeout-get$(EXEEXT) \ + nft-ct-timeout-del$(EXEEXT) nft-flowtable-add$(EXEEXT) \ + nft-flowtable-del$(EXEEXT) nft-flowtable-get$(EXEEXT) \ + nft-ruleset-get$(EXEEXT) nft-compat-get$(EXEEXT) \ + nft-ct-expectation-add$(EXEEXT) \ + nft-ct-expectation-del$(EXEEXT) \ + nft-ct-expectation-get$(EXEEXT) nft-ct-helper-add$(EXEEXT) \ + nft-ct-helper-get$(EXEEXT) nft-ct-helper-del$(EXEEXT) \ + nft-rule-ct-helper-add$(EXEEXT) \ + nft-rule-ct-expectation-add$(EXEEXT) \ + nft-rule-ct-timeout-add$(EXEEXT) +subdir = examples +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gcc4_visibility.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am_nft_chain_add_OBJECTS = nft-chain-add.$(OBJEXT) +nft_chain_add_OBJECTS = $(am_nft_chain_add_OBJECTS) +am__DEPENDENCIES_1 = +nft_chain_add_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +am_nft_chain_del_OBJECTS = nft-chain-del.$(OBJEXT) +nft_chain_del_OBJECTS = $(am_nft_chain_del_OBJECTS) +nft_chain_del_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_chain_get_OBJECTS = nft-chain-get.$(OBJEXT) +nft_chain_get_OBJECTS = $(am_nft_chain_get_OBJECTS) +nft_chain_get_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_compat_get_OBJECTS = nft-compat-get.$(OBJEXT) +nft_compat_get_OBJECTS = $(am_nft_compat_get_OBJECTS) +nft_compat_get_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_ct_expectation_add_OBJECTS = nft-ct-expectation-add.$(OBJEXT) +nft_ct_expectation_add_OBJECTS = $(am_nft_ct_expectation_add_OBJECTS) +nft_ct_expectation_add_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_ct_expectation_del_OBJECTS = nft-ct-expectation-del.$(OBJEXT) +nft_ct_expectation_del_OBJECTS = $(am_nft_ct_expectation_del_OBJECTS) +nft_ct_expectation_del_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_ct_expectation_get_OBJECTS = nft-ct-expectation-get.$(OBJEXT) +nft_ct_expectation_get_OBJECTS = $(am_nft_ct_expectation_get_OBJECTS) +nft_ct_expectation_get_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_ct_helper_add_OBJECTS = nft-ct-helper-add.$(OBJEXT) +nft_ct_helper_add_OBJECTS = $(am_nft_ct_helper_add_OBJECTS) +nft_ct_helper_add_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_ct_helper_del_OBJECTS = nft-ct-helper-del.$(OBJEXT) +nft_ct_helper_del_OBJECTS = $(am_nft_ct_helper_del_OBJECTS) +nft_ct_helper_del_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_ct_helper_get_OBJECTS = nft-ct-helper-get.$(OBJEXT) +nft_ct_helper_get_OBJECTS = $(am_nft_ct_helper_get_OBJECTS) +nft_ct_helper_get_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_ct_timeout_add_OBJECTS = nft-ct-timeout-add.$(OBJEXT) +nft_ct_timeout_add_OBJECTS = $(am_nft_ct_timeout_add_OBJECTS) +nft_ct_timeout_add_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_ct_timeout_del_OBJECTS = nft-ct-timeout-del.$(OBJEXT) +nft_ct_timeout_del_OBJECTS = $(am_nft_ct_timeout_del_OBJECTS) +nft_ct_timeout_del_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_ct_timeout_get_OBJECTS = nft-ct-timeout-get.$(OBJEXT) +nft_ct_timeout_get_OBJECTS = $(am_nft_ct_timeout_get_OBJECTS) +nft_ct_timeout_get_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_events_OBJECTS = nft-events.$(OBJEXT) +nft_events_OBJECTS = $(am_nft_events_OBJECTS) +nft_events_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_flowtable_add_OBJECTS = nft-flowtable-add.$(OBJEXT) +nft_flowtable_add_OBJECTS = $(am_nft_flowtable_add_OBJECTS) +nft_flowtable_add_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_flowtable_del_OBJECTS = nft-flowtable-del.$(OBJEXT) +nft_flowtable_del_OBJECTS = $(am_nft_flowtable_del_OBJECTS) +nft_flowtable_del_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_flowtable_get_OBJECTS = nft-flowtable-get.$(OBJEXT) +nft_flowtable_get_OBJECTS = $(am_nft_flowtable_get_OBJECTS) +nft_flowtable_get_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_map_add_OBJECTS = nft-map-add.$(OBJEXT) +nft_map_add_OBJECTS = $(am_nft_map_add_OBJECTS) +nft_map_add_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_obj_add_OBJECTS = nft-obj-add.$(OBJEXT) +nft_obj_add_OBJECTS = $(am_nft_obj_add_OBJECTS) +nft_obj_add_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_obj_del_OBJECTS = nft-obj-del.$(OBJEXT) +nft_obj_del_OBJECTS = $(am_nft_obj_del_OBJECTS) +nft_obj_del_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_obj_get_OBJECTS = nft-obj-get.$(OBJEXT) +nft_obj_get_OBJECTS = $(am_nft_obj_get_OBJECTS) +nft_obj_get_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_rule_add_OBJECTS = nft-rule-add.$(OBJEXT) +nft_rule_add_OBJECTS = $(am_nft_rule_add_OBJECTS) +nft_rule_add_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_rule_ct_expectation_add_OBJECTS = \ + nft-rule-ct-expectation-add.$(OBJEXT) +nft_rule_ct_expectation_add_OBJECTS = \ + $(am_nft_rule_ct_expectation_add_OBJECTS) +nft_rule_ct_expectation_add_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_rule_ct_helper_add_OBJECTS = nft-rule-ct-helper-add.$(OBJEXT) +nft_rule_ct_helper_add_OBJECTS = $(am_nft_rule_ct_helper_add_OBJECTS) +nft_rule_ct_helper_add_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_rule_ct_timeout_add_OBJECTS = \ + nft-rule-ct-timeout-add.$(OBJEXT) +nft_rule_ct_timeout_add_OBJECTS = \ + $(am_nft_rule_ct_timeout_add_OBJECTS) +nft_rule_ct_timeout_add_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_rule_del_OBJECTS = nft-rule-del.$(OBJEXT) +nft_rule_del_OBJECTS = $(am_nft_rule_del_OBJECTS) +nft_rule_del_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_rule_get_OBJECTS = nft-rule-get.$(OBJEXT) +nft_rule_get_OBJECTS = $(am_nft_rule_get_OBJECTS) +nft_rule_get_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_ruleset_get_OBJECTS = nft-ruleset-get.$(OBJEXT) +nft_ruleset_get_OBJECTS = $(am_nft_ruleset_get_OBJECTS) +nft_ruleset_get_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_set_add_OBJECTS = nft-set-add.$(OBJEXT) +nft_set_add_OBJECTS = $(am_nft_set_add_OBJECTS) +nft_set_add_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_set_del_OBJECTS = nft-set-del.$(OBJEXT) +nft_set_del_OBJECTS = $(am_nft_set_del_OBJECTS) +nft_set_del_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_set_elem_add_OBJECTS = nft-set-elem-add.$(OBJEXT) +nft_set_elem_add_OBJECTS = $(am_nft_set_elem_add_OBJECTS) +nft_set_elem_add_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_set_elem_del_OBJECTS = nft-set-elem-del.$(OBJEXT) +nft_set_elem_del_OBJECTS = $(am_nft_set_elem_del_OBJECTS) +nft_set_elem_del_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_set_elem_get_OBJECTS = nft-set-elem-get.$(OBJEXT) +nft_set_elem_get_OBJECTS = $(am_nft_set_elem_get_OBJECTS) +nft_set_elem_get_DEPENDENCIES = ../src/libnftnl.la \ + $(am__DEPENDENCIES_1) +am_nft_set_get_OBJECTS = nft-set-get.$(OBJEXT) +nft_set_get_OBJECTS = $(am_nft_set_get_OBJECTS) +nft_set_get_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_table_add_OBJECTS = nft-table-add.$(OBJEXT) +nft_table_add_OBJECTS = $(am_nft_table_add_OBJECTS) +nft_table_add_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_table_del_OBJECTS = nft-table-del.$(OBJEXT) +nft_table_del_OBJECTS = $(am_nft_table_del_OBJECTS) +nft_table_del_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_table_get_OBJECTS = nft-table-get.$(OBJEXT) +nft_table_get_OBJECTS = $(am_nft_table_get_OBJECTS) +nft_table_get_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +am_nft_table_upd_OBJECTS = nft-table-upd.$(OBJEXT) +nft_table_upd_OBJECTS = $(am_nft_table_upd_OBJECTS) +nft_table_upd_DEPENDENCIES = ../src/libnftnl.la $(am__DEPENDENCIES_1) +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/nft-chain-add.Po \ + ./$(DEPDIR)/nft-chain-del.Po ./$(DEPDIR)/nft-chain-get.Po \ + ./$(DEPDIR)/nft-compat-get.Po \ + ./$(DEPDIR)/nft-ct-expectation-add.Po \ + ./$(DEPDIR)/nft-ct-expectation-del.Po \ + ./$(DEPDIR)/nft-ct-expectation-get.Po \ + ./$(DEPDIR)/nft-ct-helper-add.Po \ + ./$(DEPDIR)/nft-ct-helper-del.Po \ + ./$(DEPDIR)/nft-ct-helper-get.Po \ + ./$(DEPDIR)/nft-ct-timeout-add.Po \ + ./$(DEPDIR)/nft-ct-timeout-del.Po \ + ./$(DEPDIR)/nft-ct-timeout-get.Po ./$(DEPDIR)/nft-events.Po \ + ./$(DEPDIR)/nft-flowtable-add.Po \ + ./$(DEPDIR)/nft-flowtable-del.Po \ + ./$(DEPDIR)/nft-flowtable-get.Po ./$(DEPDIR)/nft-map-add.Po \ + ./$(DEPDIR)/nft-obj-add.Po ./$(DEPDIR)/nft-obj-del.Po \ + ./$(DEPDIR)/nft-obj-get.Po ./$(DEPDIR)/nft-rule-add.Po \ + ./$(DEPDIR)/nft-rule-ct-expectation-add.Po \ + ./$(DEPDIR)/nft-rule-ct-helper-add.Po \ + ./$(DEPDIR)/nft-rule-ct-timeout-add.Po \ + ./$(DEPDIR)/nft-rule-del.Po ./$(DEPDIR)/nft-rule-get.Po \ + ./$(DEPDIR)/nft-ruleset-get.Po ./$(DEPDIR)/nft-set-add.Po \ + ./$(DEPDIR)/nft-set-del.Po ./$(DEPDIR)/nft-set-elem-add.Po \ + ./$(DEPDIR)/nft-set-elem-del.Po \ + ./$(DEPDIR)/nft-set-elem-get.Po ./$(DEPDIR)/nft-set-get.Po \ + ./$(DEPDIR)/nft-table-add.Po ./$(DEPDIR)/nft-table-del.Po \ + ./$(DEPDIR)/nft-table-get.Po ./$(DEPDIR)/nft-table-upd.Po +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(nft_chain_add_SOURCES) $(nft_chain_del_SOURCES) \ + $(nft_chain_get_SOURCES) $(nft_compat_get_SOURCES) \ + $(nft_ct_expectation_add_SOURCES) \ + $(nft_ct_expectation_del_SOURCES) \ + $(nft_ct_expectation_get_SOURCES) $(nft_ct_helper_add_SOURCES) \ + $(nft_ct_helper_del_SOURCES) $(nft_ct_helper_get_SOURCES) \ + $(nft_ct_timeout_add_SOURCES) $(nft_ct_timeout_del_SOURCES) \ + $(nft_ct_timeout_get_SOURCES) $(nft_events_SOURCES) \ + $(nft_flowtable_add_SOURCES) $(nft_flowtable_del_SOURCES) \ + $(nft_flowtable_get_SOURCES) $(nft_map_add_SOURCES) \ + $(nft_obj_add_SOURCES) $(nft_obj_del_SOURCES) \ + $(nft_obj_get_SOURCES) $(nft_rule_add_SOURCES) \ + $(nft_rule_ct_expectation_add_SOURCES) \ + $(nft_rule_ct_helper_add_SOURCES) \ + $(nft_rule_ct_timeout_add_SOURCES) $(nft_rule_del_SOURCES) \ + $(nft_rule_get_SOURCES) $(nft_ruleset_get_SOURCES) \ + $(nft_set_add_SOURCES) $(nft_set_del_SOURCES) \ + $(nft_set_elem_add_SOURCES) $(nft_set_elem_del_SOURCES) \ + $(nft_set_elem_get_SOURCES) $(nft_set_get_SOURCES) \ + $(nft_table_add_SOURCES) $(nft_table_del_SOURCES) \ + $(nft_table_get_SOURCES) $(nft_table_upd_SOURCES) +DIST_SOURCES = $(nft_chain_add_SOURCES) $(nft_chain_del_SOURCES) \ + $(nft_chain_get_SOURCES) $(nft_compat_get_SOURCES) \ + $(nft_ct_expectation_add_SOURCES) \ + $(nft_ct_expectation_del_SOURCES) \ + $(nft_ct_expectation_get_SOURCES) $(nft_ct_helper_add_SOURCES) \ + $(nft_ct_helper_del_SOURCES) $(nft_ct_helper_get_SOURCES) \ + $(nft_ct_timeout_add_SOURCES) $(nft_ct_timeout_del_SOURCES) \ + $(nft_ct_timeout_get_SOURCES) $(nft_events_SOURCES) \ + $(nft_flowtable_add_SOURCES) $(nft_flowtable_del_SOURCES) \ + $(nft_flowtable_get_SOURCES) $(nft_map_add_SOURCES) \ + $(nft_obj_add_SOURCES) $(nft_obj_del_SOURCES) \ + $(nft_obj_get_SOURCES) $(nft_rule_add_SOURCES) \ + $(nft_rule_ct_expectation_add_SOURCES) \ + $(nft_rule_ct_helper_add_SOURCES) \ + $(nft_rule_ct_timeout_add_SOURCES) $(nft_rule_del_SOURCES) \ + $(nft_rule_get_SOURCES) $(nft_ruleset_get_SOURCES) \ + $(nft_set_add_SOURCES) $(nft_set_del_SOURCES) \ + $(nft_set_elem_add_SOURCES) $(nft_set_elem_del_SOURCES) \ + $(nft_set_elem_get_SOURCES) $(nft_set_get_SOURCES) \ + $(nft_table_add_SOURCES) $(nft_table_del_SOURCES) \ + $(nft_table_get_SOURCES) $(nft_table_upd_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/Make_global.am \ + $(top_srcdir)/build-aux/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GCC_FVISIBILITY_HIDDEN = @GCC_FVISIBILITY_HIDDEN@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBMNL_CFLAGS = @LIBMNL_CFLAGS@ +LIBMNL_LIBS = @LIBMNL_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +regular_CFLAGS = @regular_CFLAGS@ +regular_CPPFLAGS = @regular_CPPFLAGS@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ + +# This is _NOT_ the library release version, it's an API version. +# Extracted from Chapter 6 "Library interface versions" of the libtool docs. +# +# <snippet> +# Here are a set of rules to help you update your library version information: +# +# 1. Start with version information of `0:0:0' for each libtool library. +# 2. Update the version information only immediately before a public release +# of your software. More frequent updates are unnecessary, and only guarantee +# that the current interface number gets larger faster. +# 3. If the library source code has changed at all since the last update, +# then increment revision (`c:r:a' becomes `c:r+1:a'). +# 4. If any interfaces have been added, removed, or changed since the last +# update, increment current, and set revision to 0. +# 5. If any interfaces have been added since the last public release, then +# increment age. +# 6. If any interfaces have been removed since the last public release, then +# set age to 0. +# </snippet> +# +LIBVERSION = 17:0:6 +AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_srcdir}/include ${LIBMNL_CFLAGS} ${LIBMXML_CFLAGS} +AM_CFLAGS = ${regular_CFLAGS} ${GCC_FVISIBILITY_HIDDEN} +nft_table_add_SOURCES = nft-table-add.c +nft_table_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_table_upd_SOURCES = nft-table-upd.c +nft_table_upd_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_table_del_SOURCES = nft-table-del.c +nft_table_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_table_get_SOURCES = nft-table-get.c +nft_table_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_chain_add_SOURCES = nft-chain-add.c +nft_chain_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_chain_del_SOURCES = nft-chain-del.c +nft_chain_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_chain_get_SOURCES = nft-chain-get.c +nft_chain_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_rule_add_SOURCES = nft-rule-add.c +nft_rule_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_rule_del_SOURCES = nft-rule-del.c +nft_rule_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_rule_get_SOURCES = nft-rule-get.c +nft_rule_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_events_SOURCES = nft-events.c +nft_events_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_set_add_SOURCES = nft-set-add.c +nft_set_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_set_del_SOURCES = nft-set-del.c +nft_set_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_set_get_SOURCES = nft-set-get.c +nft_set_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_map_add_SOURCES = nft-map-add.c +nft_map_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_set_elem_add_SOURCES = nft-set-elem-add.c +nft_set_elem_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_set_elem_del_SOURCES = nft-set-elem-del.c +nft_set_elem_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_set_elem_get_SOURCES = nft-set-elem-get.c +nft_set_elem_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_obj_add_SOURCES = nft-obj-add.c +nft_obj_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_obj_del_SOURCES = nft-obj-del.c +nft_obj_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_obj_get_SOURCES = nft-obj-get.c +nft_obj_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_timeout_add_SOURCES = nft-ct-timeout-add.c +nft_ct_timeout_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_timeout_get_SOURCES = nft-ct-timeout-get.c +nft_ct_timeout_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_timeout_del_SOURCES = nft-ct-timeout-del.c +nft_ct_timeout_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_flowtable_add_SOURCES = nft-flowtable-add.c +nft_flowtable_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_flowtable_del_SOURCES = nft-flowtable-del.c +nft_flowtable_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_flowtable_get_SOURCES = nft-flowtable-get.c +nft_flowtable_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ruleset_get_SOURCES = nft-ruleset-get.c +nft_ruleset_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_compat_get_SOURCES = nft-compat-get.c +nft_compat_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_expectation_add_SOURCES = nft-ct-expectation-add.c +nft_ct_expectation_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_expectation_del_SOURCES = nft-ct-expectation-del.c +nft_ct_expectation_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_expectation_get_SOURCES = nft-ct-expectation-get.c +nft_ct_expectation_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_helper_add_SOURCES = nft-ct-helper-add.c +nft_ct_helper_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_helper_get_SOURCES = nft-ct-helper-get.c +nft_ct_helper_get_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_ct_helper_del_SOURCES = nft-ct-helper-del.c +nft_ct_helper_del_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_rule_ct_helper_add_SOURCES = nft-rule-ct-helper-add.c +nft_rule_ct_helper_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_rule_ct_expectation_add_SOURCES = nft-rule-ct-expectation-add.c +nft_rule_ct_expectation_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +nft_rule_ct_timeout_add_SOURCES = nft-rule-ct-timeout-add.c +nft_rule_ct_timeout_add_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/Make_global.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign examples/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign examples/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; +$(top_srcdir)/Make_global.am $(am__empty): + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +nft-chain-add$(EXEEXT): $(nft_chain_add_OBJECTS) $(nft_chain_add_DEPENDENCIES) $(EXTRA_nft_chain_add_DEPENDENCIES) + @rm -f nft-chain-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_chain_add_OBJECTS) $(nft_chain_add_LDADD) $(LIBS) + +nft-chain-del$(EXEEXT): $(nft_chain_del_OBJECTS) $(nft_chain_del_DEPENDENCIES) $(EXTRA_nft_chain_del_DEPENDENCIES) + @rm -f nft-chain-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_chain_del_OBJECTS) $(nft_chain_del_LDADD) $(LIBS) + +nft-chain-get$(EXEEXT): $(nft_chain_get_OBJECTS) $(nft_chain_get_DEPENDENCIES) $(EXTRA_nft_chain_get_DEPENDENCIES) + @rm -f nft-chain-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_chain_get_OBJECTS) $(nft_chain_get_LDADD) $(LIBS) + +nft-compat-get$(EXEEXT): $(nft_compat_get_OBJECTS) $(nft_compat_get_DEPENDENCIES) $(EXTRA_nft_compat_get_DEPENDENCIES) + @rm -f nft-compat-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_compat_get_OBJECTS) $(nft_compat_get_LDADD) $(LIBS) + +nft-ct-expectation-add$(EXEEXT): $(nft_ct_expectation_add_OBJECTS) $(nft_ct_expectation_add_DEPENDENCIES) $(EXTRA_nft_ct_expectation_add_DEPENDENCIES) + @rm -f nft-ct-expectation-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_expectation_add_OBJECTS) $(nft_ct_expectation_add_LDADD) $(LIBS) + +nft-ct-expectation-del$(EXEEXT): $(nft_ct_expectation_del_OBJECTS) $(nft_ct_expectation_del_DEPENDENCIES) $(EXTRA_nft_ct_expectation_del_DEPENDENCIES) + @rm -f nft-ct-expectation-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_expectation_del_OBJECTS) $(nft_ct_expectation_del_LDADD) $(LIBS) + +nft-ct-expectation-get$(EXEEXT): $(nft_ct_expectation_get_OBJECTS) $(nft_ct_expectation_get_DEPENDENCIES) $(EXTRA_nft_ct_expectation_get_DEPENDENCIES) + @rm -f nft-ct-expectation-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_expectation_get_OBJECTS) $(nft_ct_expectation_get_LDADD) $(LIBS) + +nft-ct-helper-add$(EXEEXT): $(nft_ct_helper_add_OBJECTS) $(nft_ct_helper_add_DEPENDENCIES) $(EXTRA_nft_ct_helper_add_DEPENDENCIES) + @rm -f nft-ct-helper-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_helper_add_OBJECTS) $(nft_ct_helper_add_LDADD) $(LIBS) + +nft-ct-helper-del$(EXEEXT): $(nft_ct_helper_del_OBJECTS) $(nft_ct_helper_del_DEPENDENCIES) $(EXTRA_nft_ct_helper_del_DEPENDENCIES) + @rm -f nft-ct-helper-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_helper_del_OBJECTS) $(nft_ct_helper_del_LDADD) $(LIBS) + +nft-ct-helper-get$(EXEEXT): $(nft_ct_helper_get_OBJECTS) $(nft_ct_helper_get_DEPENDENCIES) $(EXTRA_nft_ct_helper_get_DEPENDENCIES) + @rm -f nft-ct-helper-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_helper_get_OBJECTS) $(nft_ct_helper_get_LDADD) $(LIBS) + +nft-ct-timeout-add$(EXEEXT): $(nft_ct_timeout_add_OBJECTS) $(nft_ct_timeout_add_DEPENDENCIES) $(EXTRA_nft_ct_timeout_add_DEPENDENCIES) + @rm -f nft-ct-timeout-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_timeout_add_OBJECTS) $(nft_ct_timeout_add_LDADD) $(LIBS) + +nft-ct-timeout-del$(EXEEXT): $(nft_ct_timeout_del_OBJECTS) $(nft_ct_timeout_del_DEPENDENCIES) $(EXTRA_nft_ct_timeout_del_DEPENDENCIES) + @rm -f nft-ct-timeout-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_timeout_del_OBJECTS) $(nft_ct_timeout_del_LDADD) $(LIBS) + +nft-ct-timeout-get$(EXEEXT): $(nft_ct_timeout_get_OBJECTS) $(nft_ct_timeout_get_DEPENDENCIES) $(EXTRA_nft_ct_timeout_get_DEPENDENCIES) + @rm -f nft-ct-timeout-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ct_timeout_get_OBJECTS) $(nft_ct_timeout_get_LDADD) $(LIBS) + +nft-events$(EXEEXT): $(nft_events_OBJECTS) $(nft_events_DEPENDENCIES) $(EXTRA_nft_events_DEPENDENCIES) + @rm -f nft-events$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_events_OBJECTS) $(nft_events_LDADD) $(LIBS) + +nft-flowtable-add$(EXEEXT): $(nft_flowtable_add_OBJECTS) $(nft_flowtable_add_DEPENDENCIES) $(EXTRA_nft_flowtable_add_DEPENDENCIES) + @rm -f nft-flowtable-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_flowtable_add_OBJECTS) $(nft_flowtable_add_LDADD) $(LIBS) + +nft-flowtable-del$(EXEEXT): $(nft_flowtable_del_OBJECTS) $(nft_flowtable_del_DEPENDENCIES) $(EXTRA_nft_flowtable_del_DEPENDENCIES) + @rm -f nft-flowtable-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_flowtable_del_OBJECTS) $(nft_flowtable_del_LDADD) $(LIBS) + +nft-flowtable-get$(EXEEXT): $(nft_flowtable_get_OBJECTS) $(nft_flowtable_get_DEPENDENCIES) $(EXTRA_nft_flowtable_get_DEPENDENCIES) + @rm -f nft-flowtable-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_flowtable_get_OBJECTS) $(nft_flowtable_get_LDADD) $(LIBS) + +nft-map-add$(EXEEXT): $(nft_map_add_OBJECTS) $(nft_map_add_DEPENDENCIES) $(EXTRA_nft_map_add_DEPENDENCIES) + @rm -f nft-map-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_map_add_OBJECTS) $(nft_map_add_LDADD) $(LIBS) + +nft-obj-add$(EXEEXT): $(nft_obj_add_OBJECTS) $(nft_obj_add_DEPENDENCIES) $(EXTRA_nft_obj_add_DEPENDENCIES) + @rm -f nft-obj-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_obj_add_OBJECTS) $(nft_obj_add_LDADD) $(LIBS) + +nft-obj-del$(EXEEXT): $(nft_obj_del_OBJECTS) $(nft_obj_del_DEPENDENCIES) $(EXTRA_nft_obj_del_DEPENDENCIES) + @rm -f nft-obj-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_obj_del_OBJECTS) $(nft_obj_del_LDADD) $(LIBS) + +nft-obj-get$(EXEEXT): $(nft_obj_get_OBJECTS) $(nft_obj_get_DEPENDENCIES) $(EXTRA_nft_obj_get_DEPENDENCIES) + @rm -f nft-obj-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_obj_get_OBJECTS) $(nft_obj_get_LDADD) $(LIBS) + +nft-rule-add$(EXEEXT): $(nft_rule_add_OBJECTS) $(nft_rule_add_DEPENDENCIES) $(EXTRA_nft_rule_add_DEPENDENCIES) + @rm -f nft-rule-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_rule_add_OBJECTS) $(nft_rule_add_LDADD) $(LIBS) + +nft-rule-ct-expectation-add$(EXEEXT): $(nft_rule_ct_expectation_add_OBJECTS) $(nft_rule_ct_expectation_add_DEPENDENCIES) $(EXTRA_nft_rule_ct_expectation_add_DEPENDENCIES) + @rm -f nft-rule-ct-expectation-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_rule_ct_expectation_add_OBJECTS) $(nft_rule_ct_expectation_add_LDADD) $(LIBS) + +nft-rule-ct-helper-add$(EXEEXT): $(nft_rule_ct_helper_add_OBJECTS) $(nft_rule_ct_helper_add_DEPENDENCIES) $(EXTRA_nft_rule_ct_helper_add_DEPENDENCIES) + @rm -f nft-rule-ct-helper-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_rule_ct_helper_add_OBJECTS) $(nft_rule_ct_helper_add_LDADD) $(LIBS) + +nft-rule-ct-timeout-add$(EXEEXT): $(nft_rule_ct_timeout_add_OBJECTS) $(nft_rule_ct_timeout_add_DEPENDENCIES) $(EXTRA_nft_rule_ct_timeout_add_DEPENDENCIES) + @rm -f nft-rule-ct-timeout-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_rule_ct_timeout_add_OBJECTS) $(nft_rule_ct_timeout_add_LDADD) $(LIBS) + +nft-rule-del$(EXEEXT): $(nft_rule_del_OBJECTS) $(nft_rule_del_DEPENDENCIES) $(EXTRA_nft_rule_del_DEPENDENCIES) + @rm -f nft-rule-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_rule_del_OBJECTS) $(nft_rule_del_LDADD) $(LIBS) + +nft-rule-get$(EXEEXT): $(nft_rule_get_OBJECTS) $(nft_rule_get_DEPENDENCIES) $(EXTRA_nft_rule_get_DEPENDENCIES) + @rm -f nft-rule-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_rule_get_OBJECTS) $(nft_rule_get_LDADD) $(LIBS) + +nft-ruleset-get$(EXEEXT): $(nft_ruleset_get_OBJECTS) $(nft_ruleset_get_DEPENDENCIES) $(EXTRA_nft_ruleset_get_DEPENDENCIES) + @rm -f nft-ruleset-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_ruleset_get_OBJECTS) $(nft_ruleset_get_LDADD) $(LIBS) + +nft-set-add$(EXEEXT): $(nft_set_add_OBJECTS) $(nft_set_add_DEPENDENCIES) $(EXTRA_nft_set_add_DEPENDENCIES) + @rm -f nft-set-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_set_add_OBJECTS) $(nft_set_add_LDADD) $(LIBS) + +nft-set-del$(EXEEXT): $(nft_set_del_OBJECTS) $(nft_set_del_DEPENDENCIES) $(EXTRA_nft_set_del_DEPENDENCIES) + @rm -f nft-set-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_set_del_OBJECTS) $(nft_set_del_LDADD) $(LIBS) + +nft-set-elem-add$(EXEEXT): $(nft_set_elem_add_OBJECTS) $(nft_set_elem_add_DEPENDENCIES) $(EXTRA_nft_set_elem_add_DEPENDENCIES) + @rm -f nft-set-elem-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_set_elem_add_OBJECTS) $(nft_set_elem_add_LDADD) $(LIBS) + +nft-set-elem-del$(EXEEXT): $(nft_set_elem_del_OBJECTS) $(nft_set_elem_del_DEPENDENCIES) $(EXTRA_nft_set_elem_del_DEPENDENCIES) + @rm -f nft-set-elem-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_set_elem_del_OBJECTS) $(nft_set_elem_del_LDADD) $(LIBS) + +nft-set-elem-get$(EXEEXT): $(nft_set_elem_get_OBJECTS) $(nft_set_elem_get_DEPENDENCIES) $(EXTRA_nft_set_elem_get_DEPENDENCIES) + @rm -f nft-set-elem-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_set_elem_get_OBJECTS) $(nft_set_elem_get_LDADD) $(LIBS) + +nft-set-get$(EXEEXT): $(nft_set_get_OBJECTS) $(nft_set_get_DEPENDENCIES) $(EXTRA_nft_set_get_DEPENDENCIES) + @rm -f nft-set-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_set_get_OBJECTS) $(nft_set_get_LDADD) $(LIBS) + +nft-table-add$(EXEEXT): $(nft_table_add_OBJECTS) $(nft_table_add_DEPENDENCIES) $(EXTRA_nft_table_add_DEPENDENCIES) + @rm -f nft-table-add$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_table_add_OBJECTS) $(nft_table_add_LDADD) $(LIBS) + +nft-table-del$(EXEEXT): $(nft_table_del_OBJECTS) $(nft_table_del_DEPENDENCIES) $(EXTRA_nft_table_del_DEPENDENCIES) + @rm -f nft-table-del$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_table_del_OBJECTS) $(nft_table_del_LDADD) $(LIBS) + +nft-table-get$(EXEEXT): $(nft_table_get_OBJECTS) $(nft_table_get_DEPENDENCIES) $(EXTRA_nft_table_get_DEPENDENCIES) + @rm -f nft-table-get$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_table_get_OBJECTS) $(nft_table_get_LDADD) $(LIBS) + +nft-table-upd$(EXEEXT): $(nft_table_upd_OBJECTS) $(nft_table_upd_DEPENDENCIES) $(EXTRA_nft_table_upd_DEPENDENCIES) + @rm -f nft-table-upd$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(nft_table_upd_OBJECTS) $(nft_table_upd_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-chain-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-chain-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-chain-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-compat-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-expectation-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-expectation-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-expectation-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-helper-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-helper-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-helper-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-timeout-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-timeout-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ct-timeout-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-events.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-flowtable-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-flowtable-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-flowtable-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-map-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-obj-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-obj-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-obj-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-rule-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-rule-ct-expectation-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-rule-ct-helper-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-rule-ct-timeout-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-rule-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-rule-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-ruleset-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-set-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-set-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-set-elem-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-set-elem-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-set-elem-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-set-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-table-add.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-table-del.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-table-get.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nft-table-upd.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/nft-chain-add.Po + -rm -f ./$(DEPDIR)/nft-chain-del.Po + -rm -f ./$(DEPDIR)/nft-chain-get.Po + -rm -f ./$(DEPDIR)/nft-compat-get.Po + -rm -f ./$(DEPDIR)/nft-ct-expectation-add.Po + -rm -f ./$(DEPDIR)/nft-ct-expectation-del.Po + -rm -f ./$(DEPDIR)/nft-ct-expectation-get.Po + -rm -f ./$(DEPDIR)/nft-ct-helper-add.Po + -rm -f ./$(DEPDIR)/nft-ct-helper-del.Po + -rm -f ./$(DEPDIR)/nft-ct-helper-get.Po + -rm -f ./$(DEPDIR)/nft-ct-timeout-add.Po + -rm -f ./$(DEPDIR)/nft-ct-timeout-del.Po + -rm -f ./$(DEPDIR)/nft-ct-timeout-get.Po + -rm -f ./$(DEPDIR)/nft-events.Po + -rm -f ./$(DEPDIR)/nft-flowtable-add.Po + -rm -f ./$(DEPDIR)/nft-flowtable-del.Po + -rm -f ./$(DEPDIR)/nft-flowtable-get.Po + -rm -f ./$(DEPDIR)/nft-map-add.Po + -rm -f ./$(DEPDIR)/nft-obj-add.Po + -rm -f ./$(DEPDIR)/nft-obj-del.Po + -rm -f ./$(DEPDIR)/nft-obj-get.Po + -rm -f ./$(DEPDIR)/nft-rule-add.Po + -rm -f ./$(DEPDIR)/nft-rule-ct-expectation-add.Po + -rm -f ./$(DEPDIR)/nft-rule-ct-helper-add.Po + -rm -f ./$(DEPDIR)/nft-rule-ct-timeout-add.Po + -rm -f ./$(DEPDIR)/nft-rule-del.Po + -rm -f ./$(DEPDIR)/nft-rule-get.Po + -rm -f ./$(DEPDIR)/nft-ruleset-get.Po + -rm -f ./$(DEPDIR)/nft-set-add.Po + -rm -f ./$(DEPDIR)/nft-set-del.Po + -rm -f ./$(DEPDIR)/nft-set-elem-add.Po + -rm -f ./$(DEPDIR)/nft-set-elem-del.Po + -rm -f ./$(DEPDIR)/nft-set-elem-get.Po + -rm -f ./$(DEPDIR)/nft-set-get.Po + -rm -f ./$(DEPDIR)/nft-table-add.Po + -rm -f ./$(DEPDIR)/nft-table-del.Po + -rm -f ./$(DEPDIR)/nft-table-get.Po + -rm -f ./$(DEPDIR)/nft-table-upd.Po + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/nft-chain-add.Po + -rm -f ./$(DEPDIR)/nft-chain-del.Po + -rm -f ./$(DEPDIR)/nft-chain-get.Po + -rm -f ./$(DEPDIR)/nft-compat-get.Po + -rm -f ./$(DEPDIR)/nft-ct-expectation-add.Po + -rm -f ./$(DEPDIR)/nft-ct-expectation-del.Po + -rm -f ./$(DEPDIR)/nft-ct-expectation-get.Po + -rm -f ./$(DEPDIR)/nft-ct-helper-add.Po + -rm -f ./$(DEPDIR)/nft-ct-helper-del.Po + -rm -f ./$(DEPDIR)/nft-ct-helper-get.Po + -rm -f ./$(DEPDIR)/nft-ct-timeout-add.Po + -rm -f ./$(DEPDIR)/nft-ct-timeout-del.Po + -rm -f ./$(DEPDIR)/nft-ct-timeout-get.Po + -rm -f ./$(DEPDIR)/nft-events.Po + -rm -f ./$(DEPDIR)/nft-flowtable-add.Po + -rm -f ./$(DEPDIR)/nft-flowtable-del.Po + -rm -f ./$(DEPDIR)/nft-flowtable-get.Po + -rm -f ./$(DEPDIR)/nft-map-add.Po + -rm -f ./$(DEPDIR)/nft-obj-add.Po + -rm -f ./$(DEPDIR)/nft-obj-del.Po + -rm -f ./$(DEPDIR)/nft-obj-get.Po + -rm -f ./$(DEPDIR)/nft-rule-add.Po + -rm -f ./$(DEPDIR)/nft-rule-ct-expectation-add.Po + -rm -f ./$(DEPDIR)/nft-rule-ct-helper-add.Po + -rm -f ./$(DEPDIR)/nft-rule-ct-timeout-add.Po + -rm -f ./$(DEPDIR)/nft-rule-del.Po + -rm -f ./$(DEPDIR)/nft-rule-get.Po + -rm -f ./$(DEPDIR)/nft-ruleset-get.Po + -rm -f ./$(DEPDIR)/nft-set-add.Po + -rm -f ./$(DEPDIR)/nft-set-del.Po + -rm -f ./$(DEPDIR)/nft-set-elem-add.Po + -rm -f ./$(DEPDIR)/nft-set-elem-del.Po + -rm -f ./$(DEPDIR)/nft-set-elem-get.Po + -rm -f ./$(DEPDIR)/nft-set-get.Po + -rm -f ./$(DEPDIR)/nft-table-add.Po + -rm -f ./$(DEPDIR)/nft-table-del.Po + -rm -f ./$(DEPDIR)/nft-table-get.Po + -rm -f ./$(DEPDIR)/nft-table-upd.Po + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ + clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/examples/nft-chain-add.c b/examples/nft-chain-add.c new file mode 100644 index 0000000..13be982 --- /dev/null +++ b/examples/nft-chain-add.c @@ -0,0 +1,148 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/chain.h> + +static struct nftnl_chain *chain_add_parse(int argc, char *argv[]) +{ + struct nftnl_chain *t; + int hooknum = 0; + + if (argc == 6) { + /* This is a base chain, set the hook number */ + if (strcmp(argv[4], "NF_INET_LOCAL_IN") == 0) + hooknum = NF_INET_LOCAL_IN; + else if (strcmp(argv[4], "NF_INET_LOCAL_OUT") == 0) + hooknum = NF_INET_LOCAL_OUT; + else if (strcmp(argv[4], "NF_INET_PRE_ROUTING") == 0) + hooknum = NF_INET_PRE_ROUTING; + else if (strcmp(argv[4], "NF_INET_POST_ROUTING") == 0) + hooknum = NF_INET_POST_ROUTING; + else if (strcmp(argv[4], "NF_INET_FORWARD") == 0) + hooknum = NF_INET_FORWARD; + else { + fprintf(stderr, "Unknown hook: %s\n", argv[4]); + return NULL; + } + } + + t = nftnl_chain_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + nftnl_chain_set_str(t, NFTNL_CHAIN_TABLE, argv[2]); + nftnl_chain_set_str(t, NFTNL_CHAIN_NAME, argv[3]); + if (argc == 6) { + nftnl_chain_set_u32(t, NFTNL_CHAIN_HOOKNUM, hooknum); + nftnl_chain_set_u32(t, NFTNL_CHAIN_PRIO, atoi(argv[5])); + } + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, chain_seq; + int ret, family; + struct nftnl_chain *t; + struct mnl_nlmsg_batch *batch; + + if (argc != 4 && argc != 6) { + fprintf(stderr, "Usage: %s <family> <table> <chain> " + "[<hooknum> <prio>]\n", + argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + t = chain_add_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + chain_seq = seq; + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWCHAIN, family, + NLM_F_CREATE | NLM_F_ACK, seq++); + nftnl_chain_nlmsg_build_payload(nlh, t); + nftnl_chain_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, chain_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-chain-del.c b/examples/nft-chain-del.c new file mode 100644 index 0000000..3cd483e --- /dev/null +++ b/examples/nft-chain-del.c @@ -0,0 +1,124 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/chain.h> + +static struct nftnl_chain *chain_del_parse(int argc, char *argv[]) +{ + struct nftnl_chain *t; + + t = nftnl_chain_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + nftnl_chain_set_str(t, NFTNL_CHAIN_TABLE, argv[2]); + nftnl_chain_set_str(t, NFTNL_CHAIN_NAME, argv[3]); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + struct mnl_nlmsg_batch *batch; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, chain_seq; + struct nftnl_chain *t; + int ret, family; + + if (argc != 4) { + fprintf(stderr, "Usage: %s <family> <table> <chain>\n", + argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + t = chain_del_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + chain_seq = seq; + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELCHAIN, family, NLM_F_ACK, seq++); + nftnl_chain_nlmsg_build_payload(nlh, t); + nftnl_chain_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, chain_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-chain-get.c b/examples/nft-chain-get.c new file mode 100644 index 0000000..612f58b --- /dev/null +++ b/examples/nft-chain-get.c @@ -0,0 +1,131 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/chain.h> + +static int table_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_chain *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_chain_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_chain_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_chain_nlmsg_parse"); + goto err_free; + } + + nftnl_chain_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_chain_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, type = NFTNL_OUTPUT_DEFAULT; + struct nftnl_chain *t = NULL; + int ret, family; + + seq = time(NULL); + + if (argc < 2 || argc > 5) { + fprintf(stderr, "Usage: %s <family> [<table> <chain>]\n", + argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else if (strcmp(argv[1], "unspec") == 0) + family = NFPROTO_UNSPEC; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp, unspec\n"); + exit(EXIT_FAILURE); + } + + if (argc >= 4) { + t = nftnl_chain_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, + NLM_F_ACK, seq); + nftnl_chain_set_str(t, NFTNL_CHAIN_TABLE, argv[2]); + nftnl_chain_set_str(t, NFTNL_CHAIN_NAME, argv[3]); + nftnl_chain_nlmsg_build_payload(nlh, t); + nftnl_chain_free(t); + } else if (argc >= 2) { + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, + NLM_F_DUMP, seq); + } + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, table_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-compat-get.c b/examples/nft-compat-get.c new file mode 100644 index 0000000..8f00cbf --- /dev/null +++ b/examples/nft-compat-get.c @@ -0,0 +1,140 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables_compat.h> + +#include <libmnl/libmnl.h> + +static int data_attr_cb(const struct nlattr *attr, void *data) +{ + const struct nlattr **tb = data; + int type = mnl_attr_get_type(attr); + + if (mnl_attr_type_valid(attr, NFTA_COMPAT_MAX) < 0) + return MNL_CB_OK; + + switch(type) { + case NFTA_COMPAT_NAME: + if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0) { + perror("mnl_attr_validate"); + return MNL_CB_ERROR; + } + break; + case NFTA_COMPAT_REV: + case NFTA_COMPAT_TYPE: + if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) { + perror("mnl_attr_validate"); + return MNL_CB_ERROR; + } + break; + } + tb[type] = attr; + return MNL_CB_OK; +} + +static int cb(const struct nlmsghdr *nlh, void *data) +{ + struct nlattr *tb[NFTA_COMPAT_MAX+1] = {}; + struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); + + if (mnl_attr_parse(nlh, sizeof(*nfg), data_attr_cb, tb) < 0) + return MNL_CB_ERROR; + + if (tb[NFTA_COMPAT_NAME]) + printf("name=%s ", mnl_attr_get_str(tb[NFTA_COMPAT_NAME])); + if (tb[NFTA_COMPAT_REV]) + printf("rev=%d ", ntohl(mnl_attr_get_u32(tb[NFTA_COMPAT_REV]))); + if (tb[NFTA_COMPAT_TYPE]) + printf("type=%d ", ntohl(mnl_attr_get_u32(tb[NFTA_COMPAT_REV]))); + + printf("\n"); + + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, rev, type; + int ret; + + if (argc != 4) { + fprintf(stderr, "Usage: %s <extension_name> <type> <rev>\n", + argv[0]); + return EXIT_FAILURE; + } + + if (strcmp(argv[2], "target") == 0) + type = 1; + else if (strcmp(argv[2], "match") == 0) + type = 0; + else { + fprintf(stderr, "type should be `target' or `match'\n"); + return EXIT_FAILURE; + } + rev = atoi(argv[3]); + + nlh = mnl_nlmsg_put_header(buf); + nlh->nlmsg_type = (NFNL_SUBSYS_NFT_COMPAT << 8) | NFNL_MSG_COMPAT_GET; + nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + nlh->nlmsg_seq = seq = time(NULL); + + struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg)); + nfg->nfgen_family = AF_INET; + nfg->version = NFNETLINK_V0; + nfg->res_id = 0; + + mnl_attr_put_strz(nlh, NFTA_COMPAT_NAME, argv[1]); + mnl_attr_put_u32(nlh, NFTA_COMPAT_REV, htonl(rev)); + mnl_attr_put_u32(nlh, NFTA_COMPAT_TYPE, htonl(type)); + + printf("requesting `%s' rev=%d type=%d\n", argv[1], rev, type); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, cb, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-expectation-add.c b/examples/nft-ct-expectation-add.c new file mode 100644 index 0000000..d9b9cdb --- /dev/null +++ b/examples/nft-ct-expectation-add.c @@ -0,0 +1,153 @@ +/* + * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> + +#include <obj.h> +#include <libmnl/libmnl.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else if (strcmp(str, "arp") == 0) + return NFPROTO_INET; + fprintf(stderr, "Unknown %s: ip, ip6, inet, arp\n", option); + exit(EXIT_FAILURE); +} + +static uint8_t parse_l4proto(char *str) +{ + if (strcmp(str, "udp") == 0) + return IPPROTO_UDP; + else if (strcmp(str, "tcp") == 0) + return IPPROTO_TCP; + else { + fprintf(stderr, "Unknown l4proto: tcp, udp\n"); + exit(EXIT_FAILURE); + } + return IPPROTO_TCP; +} + +static struct nftnl_obj *obj_parse(int argc, char *argv[]) +{ + uint16_t family, l3proto, dport; + uint8_t l4proto, size; + struct nftnl_obj *t; + uint32_t timeout; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + family = parse_family(argv[1], "family"); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_EXPECT); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + if (argc > 8) { + l3proto = parse_family(argv[8], "l3proto"); + nftnl_obj_set_u16(t, NFTNL_OBJ_CT_EXPECT_L3PROTO, l3proto); + } + l4proto = parse_l4proto(argv[4]); + nftnl_obj_set_u8(t, NFTNL_OBJ_CT_EXPECT_L4PROTO, l4proto); + dport = atoi(argv[5]); + nftnl_obj_set_u16(t, NFTNL_OBJ_CT_EXPECT_DPORT, dport); + timeout = atol(argv[6]); + nftnl_obj_set_u32(t, NFTNL_OBJ_CT_EXPECT_TIMEOUT, timeout); + size = atoi(argv[7]); + nftnl_obj_set_u8(t, NFTNL_OBJ_CT_EXPECT_SIZE, size); + + return t; +} + +int main(int argc, char *argv[]) +{ + uint32_t portid, seq, obj_seq, family; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct mnl_nlmsg_batch *batch; + struct mnl_socket *nl; + struct nlmsghdr *nlh; + struct nftnl_obj *t; + int ret; + + if (argc < 8 || argc > 9) { + fprintf(stderr, "%s <family> <table> <name> <l4proto> <dport> <timeout> <size> [l3proto]\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = obj_parse(argc, argv); + if (t == NULL) { + exit(EXIT_FAILURE); + } + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWOBJ, family, + NLM_F_ACK | NLM_F_CREATE, seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-expectation-del.c b/examples/nft-ct-expectation-del.c new file mode 100644 index 0000000..67dbd47 --- /dev/null +++ b/examples/nft-ct-expectation-del.c @@ -0,0 +1,126 @@ +/* + * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else if (strcmp(str, "arp") == 0) + return NFPROTO_INET; + fprintf(stderr, "Unknown %s: ip, ip6, inet, arp\n", option); + exit(EXIT_FAILURE); +} + +static struct nftnl_obj *obj_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + family = parse_family(argv[1], "family"); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_EXPECT); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, obj_seq, family; + struct nftnl_obj *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = obj_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELOBJ, family, NLM_F_ACK, + seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + mnl_nlmsg_batch_next(batch); + nftnl_obj_free(t); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-expectation-get.c b/examples/nft-ct-expectation-get.c new file mode 100644 index 0000000..12c1350 --- /dev/null +++ b/examples/nft-ct-expectation-get.c @@ -0,0 +1,142 @@ +/* + * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else if (strcmp(str, "arp") == 0) + return NFPROTO_INET; + fprintf(stderr, "Unknown %s: ip, ip6, inet, arp\n", option); + exit(EXIT_FAILURE); +} + +static struct nftnl_obj *obj_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + family = parse_family(argv[1], "family"); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_EXPECT); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + + if (argc > 3) + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + return t; +} + +static int obj_cb(const struct nlmsghdr *nlh, void *data) +{ + uint32_t *type = data; + struct nftnl_obj *t; + char buf[4096]; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_obj_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_obj_nlmsg_parse"); + goto err_free; + } + + nftnl_obj_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_obj_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + struct nftnl_obj *t; + int ret; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + uint16_t flags = NLM_F_ACK; + + if (argc < 3 || argc > 4) { + fprintf(stderr, "%s <family> <table> [<name>]\n", argv[0]); + return EXIT_FAILURE; + } + + t = obj_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + + seq = time(NULL); + if (argc < 4) + flags = NLM_F_DUMP; + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETOBJ, family, flags, seq); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, obj_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-helper-add.c b/examples/nft-ct-helper-add.c new file mode 100644 index 0000000..397443b --- /dev/null +++ b/examples/nft-ct-helper-add.c @@ -0,0 +1,149 @@ +/* + * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <string.h> +#include <time.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else { + fprintf(stderr, "Unknown %s: ip, ip6, inet\n", option); + exit(EXIT_FAILURE); + } +} + +static uint8_t parse_l4proto(char *str) +{ + if (strcmp(str, "udp") == 0) + return IPPROTO_UDP; + else if (strcmp(str, "tcp") == 0) + return IPPROTO_TCP; + else { + fprintf(stderr, "Unknown l4proto: tcp, udp\n"); + exit(EXIT_FAILURE); + } + return IPPROTO_TCP; +} + +static struct nftnl_obj *ct_helper_add_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family, l3proto; + uint8_t l4proto; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + family = parse_family(argv[1], "family"); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_HELPER); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + nftnl_obj_set_str(t, NFTNL_OBJ_CT_HELPER_NAME, argv[4]); + l4proto = parse_l4proto(argv[5]); + nftnl_obj_set_u8(t, NFTNL_OBJ_CT_HELPER_L4PROTO, l4proto); + if (argc == 7) { + l3proto = parse_family(argv[6], "l3proto"); + nftnl_obj_set_u16(t, NFTNL_OBJ_CT_HELPER_L3PROTO, l3proto); + } + + return t; +} + +int main(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint32_t seq, obj_seq, family, portid; + struct mnl_nlmsg_batch *batch; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct mnl_socket *nl; + int ret; + + if (argc < 6) { + fprintf(stderr, "%s <family> <table> <name> <type> <l4proto> [l3proto]\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = ct_helper_add_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWOBJ, family, NLM_F_CREATE | NLM_F_ACK, seq++); + + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) { + break; + } + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-helper-del.c b/examples/nft-ct-helper-del.c new file mode 100644 index 0000000..fda3026 --- /dev/null +++ b/examples/nft-ct-helper-del.c @@ -0,0 +1,124 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static struct nftnl_obj *ct_helper_del_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family; + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet\n"); + return NULL; + } + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_HELPER); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, obj_seq, family; + struct nftnl_obj *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = ct_helper_del_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELOBJ, family, NLM_F_ACK, + seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + mnl_nlmsg_batch_next(batch); + nftnl_obj_free(t); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-helper-get.c b/examples/nft-ct-helper-get.c new file mode 100644 index 0000000..34134af --- /dev/null +++ b/examples/nft-ct-helper-get.c @@ -0,0 +1,138 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static int obj_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_obj *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_obj_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_obj_nlmsg_parse"); + goto err_free; + } + + nftnl_obj_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_obj_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + struct nftnl_obj *t = NULL; + int ret; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + + if (argc < 3 || argc > 5) { + fprintf(stderr, "%s <family> <table> [<obj>]\n", + argv[0]); + return EXIT_FAILURE; + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "unspec") == 0) + family = NFPROTO_UNSPEC; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, unspec"); + exit(EXIT_FAILURE); + } + + if (argc == 3 || argc == 4) { + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + } + + seq = time(NULL); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_HELPER); + if (argc < 4) { + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETOBJ, family, + NLM_F_DUMP, seq); + if (argc == 3) { + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + } + } else { + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETOBJ, family, + NLM_F_ACK, seq); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + } + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, obj_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-timeout-add.c b/examples/nft-ct-timeout-add.c new file mode 100644 index 0000000..4c2052e --- /dev/null +++ b/examples/nft-ct-timeout-add.c @@ -0,0 +1,153 @@ +/* + * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <obj.h> +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static struct nftnl_obj *obj_add_parse(int argc, char *argv[]) +{ + size_t timeout_array_size; + struct nftnl_obj *t; + uint32_t *timeout; + uint16_t family; + uint8_t l4proto; + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + return NULL; + } + + if (strcmp(argv[4], "udp") == 0) + l4proto = IPPROTO_UDP; + else if (strcmp(argv[4], "tcp") == 0) + l4proto = IPPROTO_TCP; + else { + fprintf(stderr, "Unknown layer 4 protocol\n"); + return NULL; + } + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + timeout_array_size = sizeof(uint32_t) * (NFTNL_CTTIMEOUT_TCP_MAX); + timeout = calloc(1, timeout_array_size); + if (timeout == NULL) { + perror("OOM"); + return NULL; + } + + timeout[NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = 111; + timeout[NFTNL_CTTIMEOUT_TCP_CLOSE] = 16; + timeout[NFTNL_CTTIMEOUT_TCP_CLOSE_WAIT] = 14; + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_TIMEOUT); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + nftnl_obj_set_u8(t, NFTNL_OBJ_CT_TIMEOUT_L4PROTO, l4proto); + nftnl_obj_set_u16(t, NFTNL_OBJ_CT_TIMEOUT_L3PROTO, NFPROTO_IPV4); + nftnl_obj_set_data(t, NFTNL_OBJ_CT_TIMEOUT_ARRAY, + timeout, timeout_array_size); + return t; + +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, obj_seq, family; + struct nftnl_obj *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 5) { + fprintf(stderr, "%s <family> <table> <name> <protocol> \n", argv[0]); + exit(EXIT_FAILURE); + } + + t = obj_add_parse(argc, argv); + if (t == NULL) { + exit(EXIT_FAILURE); + } + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWOBJ, family, NLM_F_ACK | NLM_F_CREATE, seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-timeout-del.c b/examples/nft-ct-timeout-del.c new file mode 100644 index 0000000..4581c39 --- /dev/null +++ b/examples/nft-ct-timeout-del.c @@ -0,0 +1,124 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static struct nftnl_obj *ct_timeout_del_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family; + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet\n"); + return NULL; + } + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_TIMEOUT); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, obj_seq, family; + struct nftnl_obj *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = ct_timeout_del_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELOBJ, family, NLM_F_ACK, + seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + mnl_nlmsg_batch_next(batch); + nftnl_obj_free(t); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ct-timeout-get.c b/examples/nft-ct-timeout-get.c new file mode 100644 index 0000000..18aed52 --- /dev/null +++ b/examples/nft-ct-timeout-get.c @@ -0,0 +1,137 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static int obj_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_obj *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_obj_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_obj_nlmsg_parse"); + goto err_free; + } + + nftnl_obj_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_obj_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + struct nftnl_obj *t = NULL; + int ret; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + + if (argc < 3 || argc > 5) { + fprintf(stderr, "%s <family> <table> [<obj>]\n", argv[0]); + return EXIT_FAILURE; + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "unspec") == 0) + family = NFPROTO_UNSPEC; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, unspec"); + exit(EXIT_FAILURE); + } + + if (argc == 3 || argc == 4) { + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + } + + seq = time(NULL); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_TIMEOUT); + if (argc < 4) { + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETOBJ, family, + NLM_F_DUMP, seq); + if (argc == 3) { + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + } + } else { + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETOBJ, family, + NLM_F_ACK, seq); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + } + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, obj_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-events.c b/examples/nft-events.c new file mode 100644 index 0000000..8aab90a --- /dev/null +++ b/examples/nft-events.c @@ -0,0 +1,268 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/table.h> +#include <libnftnl/chain.h> +#include <libnftnl/rule.h> +#include <libnftnl/set.h> +#include <libnftnl/gen.h> +#include <libnftnl/common.h> + +static uint32_t event2flag(uint32_t event) +{ + switch (event) { + case NFT_MSG_NEWTABLE: + case NFT_MSG_NEWCHAIN: + case NFT_MSG_NEWRULE: + case NFT_MSG_NEWSET: + case NFT_MSG_NEWSETELEM: + case NFT_MSG_NEWGEN: + return NFTNL_OF_EVENT_NEW; + case NFT_MSG_DELTABLE: + case NFT_MSG_DELCHAIN: + case NFT_MSG_DELRULE: + case NFT_MSG_DELSET: + case NFT_MSG_DELSETELEM: + return NFTNL_OF_EVENT_DEL; + } + + return 0; +} + +static int table_cb(const struct nlmsghdr *nlh, int event, int type) +{ + struct nftnl_table *t; + + t = nftnl_table_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_table_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_table_nlmsg_parse"); + goto err_free; + } + + nftnl_table_fprintf(stdout, t, type, event2flag(event)); + fprintf(stdout, "\n"); + +err_free: + nftnl_table_free(t); +err: + return MNL_CB_OK; +} + +static int rule_cb(const struct nlmsghdr *nlh, int event, int type) +{ + struct nftnl_rule *t; + + t = nftnl_rule_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_rule_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_rule_nlmsg_parse"); + goto err_free; + } + + nftnl_rule_fprintf(stdout, t, type, event2flag(event)); + fprintf(stdout, "\n"); + +err_free: + nftnl_rule_free(t); +err: + return MNL_CB_OK; +} + +static int chain_cb(const struct nlmsghdr *nlh, int event, int type) +{ + struct nftnl_chain *t; + + t = nftnl_chain_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_chain_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_chain_nlmsg_parse"); + goto err_free; + } + + nftnl_chain_fprintf(stdout, t, type, event2flag(event)); + fprintf(stdout, "\n"); + +err_free: + nftnl_chain_free(t); +err: + return MNL_CB_OK; +} + +static int set_cb(const struct nlmsghdr *nlh, int event, int type) +{ + struct nftnl_set *t; + + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_set_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_set_nlmsg_parse"); + goto err_free; + } + + nftnl_set_fprintf(stdout, t, type, event2flag(event)); + fprintf(stdout, "\n"); + +err_free: + nftnl_set_free(t); +err: + return MNL_CB_OK; +} + +static int setelem_cb(const struct nlmsghdr *nlh, int event, int type) +{ + + struct nftnl_set *s; + + s = nftnl_set_alloc(); + if (s == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_set_elems_nlmsg_parse(nlh, s) < 0) { + perror("nftnl_set_nlmsg_parse"); + goto err_free; + } + + nftnl_set_fprintf(stdout, s, type, event2flag(event)); + fprintf(stdout, "\n"); + +err_free: + nftnl_set_free(s); +err: + return MNL_CB_OK; +} + +static int gen_cb(const struct nlmsghdr *nlh, int event, int type) +{ + struct nftnl_gen *gen; + + gen = nftnl_gen_alloc(); + if (gen == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_gen_nlmsg_parse(nlh, gen) < 0) { + perror("nftnl_gen_parse"); + goto err_free; + } + + nftnl_gen_fprintf(stdout, gen, type, event2flag(event)); + fprintf(stdout, "\n"); +err_free: + nftnl_gen_free(gen); +err: + return MNL_CB_OK; +} + +static int events_cb(const struct nlmsghdr *nlh, void *data) +{ + int ret = MNL_CB_OK; + int event = NFNL_MSG_TYPE(nlh->nlmsg_type); + int type = *((int *)data); + + switch(event) { + case NFT_MSG_NEWTABLE: + case NFT_MSG_DELTABLE: + ret = table_cb(nlh, event, type); + break; + case NFT_MSG_NEWCHAIN: + case NFT_MSG_DELCHAIN: + ret = chain_cb(nlh, event, type); + break; + case NFT_MSG_NEWRULE: + case NFT_MSG_DELRULE: + ret = rule_cb(nlh, event, type); + break; + case NFT_MSG_NEWSET: + case NFT_MSG_DELSET: + ret = set_cb(nlh, event, type); + break; + case NFT_MSG_NEWSETELEM: + case NFT_MSG_DELSETELEM: + ret = setelem_cb(nlh, event, type); + break; + case NFT_MSG_NEWGEN: + ret = gen_cb(nlh, event, type); + break; + } + + return ret; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + int ret, type; + + switch (argc) { + case 1: + type = NFTNL_OUTPUT_DEFAULT; + break; + default: + fprintf(stderr, "%s\n", argv[0]); + return EXIT_FAILURE; + } + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, (1 << (NFNLGRP_NFTABLES-1)), MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, 0, 0, events_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-flowtable-add.c b/examples/nft-flowtable-add.c new file mode 100644 index 0000000..f509f23 --- /dev/null +++ b/examples/nft-flowtable-add.c @@ -0,0 +1,127 @@ +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/flowtable.h> + +static struct nftnl_flowtable *flowtable_add_parse(int argc, char *argv[]) +{ + const char *dev_array[] = { "eth0", "tap0", NULL }; + struct nftnl_flowtable *t; + int hooknum = 0; + + if (strcmp(argv[4], "ingress") == 0) + hooknum = NF_NETDEV_INGRESS; + else { + fprintf(stderr, "Unknown hook: %s\n", argv[4]); + return NULL; + } + + t = nftnl_flowtable_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + nftnl_flowtable_set_str(t, NFTNL_FLOWTABLE_TABLE, argv[2]); + nftnl_flowtable_set_str(t, NFTNL_FLOWTABLE_NAME, argv[3]); + if (argc == 6) { + nftnl_flowtable_set_u32(t, NFTNL_FLOWTABLE_HOOKNUM, hooknum); + nftnl_flowtable_set_u32(t, NFTNL_FLOWTABLE_PRIO, atoi(argv[5])); + } + nftnl_flowtable_set_data(t, NFTNL_FLOWTABLE_DEVICES, dev_array, 0); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, flowtable_seq; + int ret, family; + struct nftnl_flowtable *t; + struct mnl_nlmsg_batch *batch; + + if (argc != 6) { + fprintf(stderr, "Usage: %s <family> <table> <name> <hook> <prio>\n", + argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + t = flowtable_add_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + flowtable_seq = seq; + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWFLOWTABLE, family, + NLM_F_CREATE | NLM_F_ACK, seq++); + nftnl_flowtable_nlmsg_build_payload(nlh, t); + nftnl_flowtable_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, flowtable_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-flowtable-del.c b/examples/nft-flowtable-del.c new file mode 100644 index 0000000..c5ce339 --- /dev/null +++ b/examples/nft-flowtable-del.c @@ -0,0 +1,114 @@ +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/flowtable.h> + +static struct nftnl_flowtable *flowtable_del_parse(int argc, char *argv[]) +{ + struct nftnl_flowtable *t; + + t = nftnl_flowtable_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + nftnl_flowtable_set_str(t, NFTNL_FLOWTABLE_TABLE, argv[2]); + nftnl_flowtable_set_str(t, NFTNL_FLOWTABLE_NAME, argv[3]); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + struct mnl_nlmsg_batch *batch; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, flowtable_seq; + struct nftnl_flowtable *t; + int ret, family; + + if (argc != 4) { + fprintf(stderr, "Usage: %s <family> <table> <flowtable>\n", + argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + t = flowtable_del_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + flowtable_seq = seq; + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELFLOWTABLE, family, + NLM_F_ACK, seq++); + nftnl_flowtable_nlmsg_build_payload(nlh, t); + nftnl_flowtable_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, flowtable_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-flowtable-get.c b/examples/nft-flowtable-get.c new file mode 100644 index 0000000..1d10cc8 --- /dev/null +++ b/examples/nft-flowtable-get.c @@ -0,0 +1,120 @@ +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/flowtable.h> + +static int table_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_flowtable *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_flowtable_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_flowtable_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_flowtable_nlmsg_parse"); + goto err_free; + } + + nftnl_flowtable_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_flowtable_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, type = NFTNL_OUTPUT_DEFAULT; + struct nftnl_flowtable *t = NULL; + int ret, family; + + seq = time(NULL); + + if (argc < 2 || argc > 5) { + fprintf(stderr, "Usage: %s <family> [<table> <flowtable>]\n", + argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else if (strcmp(argv[1], "unspec") == 0) + family = NFPROTO_UNSPEC; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp, unspec\n"); + exit(EXIT_FAILURE); + } + + if (argc >= 4) { + t = nftnl_flowtable_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETFLOWTABLE, family, + NLM_F_ACK, seq); + nftnl_flowtable_set_str(t, NFTNL_FLOWTABLE_TABLE, argv[2]); + nftnl_flowtable_set_str(t, NFTNL_FLOWTABLE_NAME, argv[3]); + nftnl_flowtable_nlmsg_build_payload(nlh, t); + nftnl_flowtable_free(t); + } else if (argc >= 2) { + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETFLOWTABLE, family, + NLM_F_DUMP, seq); + } + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, table_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-map-add.c b/examples/nft-map-add.c new file mode 100644 index 0000000..e5ce664 --- /dev/null +++ b/examples/nft-map-add.c @@ -0,0 +1,141 @@ +/* + * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <stddef.h> /* for offsetof */ +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/set.h> + +static struct nftnl_set *setup_set(uint8_t family, const char *table, + const char *name) +{ + struct nftnl_set *s = NULL; + + s = nftnl_set_alloc(); + if (s == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + nftnl_set_set_str(s, NFTNL_SET_TABLE, table); + nftnl_set_set_str(s, NFTNL_SET_NAME, name); + nftnl_set_set_u32(s, NFTNL_SET_FAMILY, family); + nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, 2); + /* See nftables/include/datatype.h, where TYPE_INET_SERVICE is 13. We + * should place these datatypes in a public header so third party + * applications still work with nftables. + */ + nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, 13); + nftnl_set_set_u32(s, NFTNL_SET_DATA_LEN, 2); + nftnl_set_set_u32(s, NFTNL_SET_DATA_TYPE, 13); + nftnl_set_set_u32(s, NFTNL_SET_ID, 1); + nftnl_set_set_u32(s, NFTNL_SET_FLAGS, NFT_SET_CONSTANT | NFT_SET_MAP); + + return s; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + struct nftnl_set *s; + struct nlmsghdr *nlh; + struct mnl_nlmsg_batch *batch; + uint8_t family; + char buf[MNL_SOCKET_BUFFER_SIZE]; + uint32_t seq = time(NULL); + int ret; + + if (argc != 4) { + fprintf(stderr, "Usage: %s <family> <table> <setname>\n", argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + s = setup_set(family, argv[2], argv[3]); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + NLM_F_CREATE | NLM_F_ACK, seq++); + + nftnl_set_nlmsg_build_payload(nlh, s); + nftnl_set_free(s); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret == -1) { + perror("mnl_socket_sendto"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + if (ret == -1) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL); + if (ret < 0) { + perror("mnl_cb_run"); + exit(EXIT_FAILURE); + } + + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-obj-add.c b/examples/nft-obj-add.c new file mode 100644 index 0000000..f526b3c --- /dev/null +++ b/examples/nft-obj-add.c @@ -0,0 +1,125 @@ +/* + * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static struct nftnl_obj *obj_add_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family; + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + return NULL; + } + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_COUNTER); + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, obj_seq, family; + struct nftnl_obj *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = obj_add_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWOBJ, family, NLM_F_ACK, seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-obj-del.c b/examples/nft-obj-del.c new file mode 100644 index 0000000..ae4f703 --- /dev/null +++ b/examples/nft-obj-del.c @@ -0,0 +1,128 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static struct nftnl_obj *obj_del_parse(int argc, char *argv[]) +{ + struct nftnl_obj *t; + uint16_t family; + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + return NULL; + } + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_COUNTER); + nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, obj_seq, family; + struct nftnl_obj *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = obj_del_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + obj_seq = seq; + family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELOBJ, family, NLM_F_ACK, + seq++); + nftnl_obj_nlmsg_build_payload(nlh, t); + mnl_nlmsg_batch_next(batch); + nftnl_obj_free(t); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-obj-get.c b/examples/nft-obj-get.c new file mode 100644 index 0000000..e560ed0 --- /dev/null +++ b/examples/nft-obj-get.c @@ -0,0 +1,140 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/object.h> + +static int obj_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_obj *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_obj_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_obj_nlmsg_parse"); + goto err_free; + } + + nftnl_obj_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_obj_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + struct nftnl_obj *t = NULL; + int ret; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + + if (argc < 2 || argc > 5) { + fprintf(stderr, "%s <family> <table> [<obj>]\n", argv[0]); + return EXIT_FAILURE; + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else if (strcmp(argv[1], "unspec") == 0) + family = NFPROTO_UNSPEC; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp, unspec\n"); + exit(EXIT_FAILURE); + } + + if (argc == 3 || argc == 4) { + t = nftnl_obj_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + } + + seq = time(NULL); + if (argc < 4) { + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETOBJ, family, + NLM_F_DUMP, seq); + if (argc == 3) { + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + } + } else { + nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]); + nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]); + nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_COUNTER); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETOBJ, family, + NLM_F_ACK, seq); + nftnl_obj_nlmsg_build_payload(nlh, t); + nftnl_obj_free(t); + } + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, obj_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-rule-add.c b/examples/nft-rule-add.c new file mode 100644 index 0000000..7d13b92 --- /dev/null +++ b/examples/nft-rule-add.c @@ -0,0 +1,204 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <stddef.h> /* for offsetof */ +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> + +static void add_payload(struct nftnl_rule *r, uint32_t base, uint32_t dreg, + uint32_t offset, uint32_t len) +{ + struct nftnl_expr *e; + + e = nftnl_expr_alloc("payload"); + if (e == NULL) { + perror("expr payload oom"); + exit(EXIT_FAILURE); + } + + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_BASE, base); + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, dreg); + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET, offset); + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_LEN, len); + + nftnl_rule_add_expr(r, e); +} + +static void add_cmp(struct nftnl_rule *r, uint32_t sreg, uint32_t op, + const void *data, uint32_t data_len) +{ + struct nftnl_expr *e; + + e = nftnl_expr_alloc("cmp"); + if (e == NULL) { + perror("expr cmp oom"); + exit(EXIT_FAILURE); + } + + nftnl_expr_set_u32(e, NFTNL_EXPR_CMP_SREG, sreg); + nftnl_expr_set_u32(e, NFTNL_EXPR_CMP_OP, op); + nftnl_expr_set(e, NFTNL_EXPR_CMP_DATA, data, data_len); + + nftnl_rule_add_expr(r, e); +} + +static void add_counter(struct nftnl_rule *r) +{ + struct nftnl_expr *e; + + e = nftnl_expr_alloc("counter"); + if (e == NULL) { + perror("expr counter oom"); + exit(EXIT_FAILURE); + } + + nftnl_rule_add_expr(r, e); +} + +static struct nftnl_rule *setup_rule(uint8_t family, const char *table, + const char *chain, const char *handle) +{ + struct nftnl_rule *r = NULL; + uint8_t proto; + uint16_t dport; + uint64_t handle_num; + + r = nftnl_rule_alloc(); + if (r == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table); + nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain); + nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); + + if (handle != NULL) { + handle_num = atoll(handle); + nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num); + } + + proto = IPPROTO_TCP; + add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1, + offsetof(struct iphdr, protocol), sizeof(uint8_t)); + add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &proto, sizeof(uint8_t)); + + dport = htons(22); + add_payload(r, NFT_PAYLOAD_TRANSPORT_HEADER, NFT_REG_1, + offsetof(struct tcphdr, dest), sizeof(uint16_t)); + add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &dport, sizeof(uint16_t)); + + add_counter(r); + + return r; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + struct nftnl_rule *r; + struct nlmsghdr *nlh; + struct mnl_nlmsg_batch *batch; + uint8_t family; + char buf[MNL_SOCKET_BUFFER_SIZE]; + uint32_t seq = time(NULL); + int ret; + + if (argc < 4 || argc > 5) { + fprintf(stderr, "Usage: %s <family> <table> <chain>\n", argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet\n"); + exit(EXIT_FAILURE); + } + + if (argc != 5) + r = setup_rule(family, argv[2], argv[3], NULL); + else + r = setup_rule(family, argv[2], argv[3], argv[4]); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK, + seq++); + nftnl_rule_nlmsg_build_payload(nlh, r); + nftnl_rule_free(r); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret == -1) { + perror("mnl_socket_sendto"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + if (ret == -1) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL); + if (ret < 0) { + perror("mnl_cb_run"); + exit(EXIT_FAILURE); + } + + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-rule-ct-expectation-add.c b/examples/nft-rule-ct-expectation-add.c new file mode 100644 index 0000000..07c8306 --- /dev/null +++ b/examples/nft-rule-ct-expectation-add.c @@ -0,0 +1,162 @@ +/* + * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <stddef.h> /* for offsetof */ +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> + +static uint16_t parse_family(char *str, const char *option) +{ + if (strcmp(str, "ip") == 0) + return NFPROTO_IPV4; + else if (strcmp(str, "ip6") == 0) + return NFPROTO_IPV6; + else if (strcmp(str, "inet") == 0) + return NFPROTO_INET; + else if (strcmp(str, "arp") == 0) + return NFPROTO_INET; + fprintf(stderr, "Unknown %s: ip, ip6, inet, arp\n", option); + exit(EXIT_FAILURE); +} + +static void add_ct_expect(struct nftnl_rule *r, const char *obj_name) +{ + struct nftnl_expr *e; + + e = nftnl_expr_alloc("objref"); + if (e == NULL) { + perror("expr objref oom"); + exit(EXIT_FAILURE); + } + nftnl_expr_set_str(e, NFTNL_EXPR_OBJREF_IMM_NAME, obj_name); + nftnl_expr_set_u32(e, NFTNL_EXPR_OBJREF_IMM_TYPE, NFT_OBJECT_CT_EXPECT); + + nftnl_rule_add_expr(r, e); +} + +static struct nftnl_rule *setup_rule(uint8_t family, const char *table, + const char *chain, const char *handle, + const char *obj_name) +{ + struct nftnl_rule *r = NULL; + uint64_t handle_num; + + r = nftnl_rule_alloc(); + if (r == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table); + nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain); + nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); + + if (handle != NULL) { + handle_num = atoll(handle); + nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num); + } + + add_ct_expect(r, obj_name); + + return r; +} + +int main(int argc, char *argv[]) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct mnl_nlmsg_batch *batch; + uint32_t seq = time(NULL); + struct mnl_socket *nl; + struct nftnl_rule *r; + struct nlmsghdr *nlh; + uint8_t family; + int ret; + + if (argc < 5 || argc > 6) { + fprintf(stderr, + "Usage: %s <family> <table> <chain> [<handle>] <name>\n", + argv[0]); + exit(EXIT_FAILURE); + } + family = parse_family(argv[1], "family"); + + if (argc < 6) + r = setup_rule(family, argv[2], argv[3], NULL, argv[4]); + else + r = setup_rule(family, argv[2], argv[3], argv[4], argv[5]); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK, + seq++); + nftnl_rule_nlmsg_build_payload(nlh, r); + nftnl_rule_free(r); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret == -1) { + perror("mnl_socket_sendto"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + if (ret == -1) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL); + if (ret < 0) { + perror("mnl_cb_run"); + exit(EXIT_FAILURE); + } + + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-rule-ct-helper-add.c b/examples/nft-rule-ct-helper-add.c new file mode 100644 index 0000000..594e6ba --- /dev/null +++ b/examples/nft-rule-ct-helper-add.c @@ -0,0 +1,156 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <stddef.h> /* for offsetof */ +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> + +static void add_ct_helper(struct nftnl_rule *r, const char *obj_name) +{ + struct nftnl_expr *e; + + e = nftnl_expr_alloc("objref"); + if (e == NULL) { + perror("expr objref oom"); + exit(EXIT_FAILURE); + } + nftnl_expr_set_str(e, NFTNL_EXPR_OBJREF_IMM_NAME, obj_name); + nftnl_expr_set_u32(e, NFTNL_EXPR_OBJREF_IMM_TYPE, 3); + + nftnl_rule_add_expr(r, e); +} + +static struct nftnl_rule *setup_rule(uint8_t family, const char *table, + const char *chain, const char *handle, const char *obj_name) +{ + struct nftnl_rule *r = NULL; + uint64_t handle_num; + + r = nftnl_rule_alloc(); + if (r == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table); + nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain); + nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); + + if (handle != NULL) { + handle_num = atoll(handle); + nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num); + } + + add_ct_helper(r, obj_name); + + return r; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + struct nftnl_rule *r; + struct nlmsghdr *nlh; + struct mnl_nlmsg_batch *batch; + uint8_t family; + char buf[MNL_SOCKET_BUFFER_SIZE]; + uint32_t seq = time(NULL); + int ret; + + if (argc < 5 || argc > 6) { + fprintf(stderr, "Usage: %s <family> <table> <chain> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet\n"); + exit(EXIT_FAILURE); + } + + if (argc != 6) + r = setup_rule(family, argv[2], argv[3], NULL, argv[4]); + else + r = setup_rule(family, argv[2], argv[3], argv[4], argv[5]); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK, + seq++); + nftnl_rule_nlmsg_build_payload(nlh, r); + nftnl_rule_free(r); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret == -1) { + perror("mnl_socket_sendto"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + if (ret == -1) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL); + if (ret < 0) { + perror("mnl_cb_run"); + exit(EXIT_FAILURE); + } + + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-rule-ct-timeout-add.c b/examples/nft-rule-ct-timeout-add.c new file mode 100644 index 0000000..0953cb4 --- /dev/null +++ b/examples/nft-rule-ct-timeout-add.c @@ -0,0 +1,156 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <stddef.h> /* for offsetof */ +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/rule.h> +#include <libnftnl/expr.h> + +static void add_ct_timeout(struct nftnl_rule *r, const char *obj_name) +{ + struct nftnl_expr *e; + + e = nftnl_expr_alloc("objref"); + if (e == NULL) { + perror("expr objref oom"); + exit(EXIT_FAILURE); + } + nftnl_expr_set_str(e, NFTNL_EXPR_OBJREF_IMM_NAME, obj_name); + nftnl_expr_set_u32(e, NFTNL_EXPR_OBJREF_IMM_TYPE, NFT_OBJECT_CT_TIMEOUT); + + nftnl_rule_add_expr(r, e); +} + +static struct nftnl_rule *setup_rule(uint8_t family, const char *table, + const char *chain, const char *handle, const char *obj_name) +{ + struct nftnl_rule *r = NULL; + uint64_t handle_num; + + r = nftnl_rule_alloc(); + if (r == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table); + nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain); + nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); + + if (handle != NULL) { + handle_num = atoll(handle); + nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num); + } + + add_ct_timeout(r, obj_name); + + return r; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + struct nftnl_rule *r; + struct nlmsghdr *nlh; + struct mnl_nlmsg_batch *batch; + uint8_t family; + char buf[MNL_SOCKET_BUFFER_SIZE]; + uint32_t seq = time(NULL); + int ret; + + if (argc < 5 || argc > 6) { + fprintf(stderr, "Usage: %s <family> <table> <chain> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet\n"); + exit(EXIT_FAILURE); + } + + if (argc != 6) + r = setup_rule(family, argv[2], argv[3], NULL, argv[4]); + else + r = setup_rule(family, argv[2], argv[3], argv[4], argv[5]); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK, + seq++); + nftnl_rule_nlmsg_build_payload(nlh, r); + nftnl_rule_free(r); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret == -1) { + perror("mnl_socket_sendto"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + if (ret == -1) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL); + if (ret < 0) { + perror("mnl_cb_run"); + exit(EXIT_FAILURE); + } + + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-rule-del.c b/examples/nft-rule-del.c new file mode 100644 index 0000000..cb085ff --- /dev/null +++ b/examples/nft-rule-del.c @@ -0,0 +1,118 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <stddef.h> /* for offsetof */ +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> +#include <linux/netfilter/nfnetlink.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/rule.h> + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct mnl_nlmsg_batch *batch; + uint32_t portid, seq; + struct nftnl_rule *r = NULL; + int ret, family; + + if (argc < 4 || argc > 5) { + fprintf(stderr, "Usage: %s <family> <table> <chain> [<handle>]\n", + argv[0]); + exit(EXIT_FAILURE); + } + + r = nftnl_rule_alloc(); + if (r == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + seq = time(NULL); + nftnl_rule_set_str(r, NFTNL_RULE_TABLE, argv[2]); + nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, argv[3]); + + /* If no handle is specified, delete all rules in the chain */ + if (argc == 5) + nftnl_rule_set_u64(r, NFTNL_RULE_HANDLE, atoi(argv[4])); + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELRULE, family, NLM_F_ACK, seq++); + nftnl_rule_nlmsg_build_payload(nlh, r); + nftnl_rule_free(r); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-rule-get.c b/examples/nft-rule-get.c new file mode 100644 index 0000000..8da5b59 --- /dev/null +++ b/examples/nft-rule-get.c @@ -0,0 +1,155 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/rule.h> + +static int table_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_rule *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_rule_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_rule_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_rule_nlmsg_parse"); + goto err_free; + } + + nftnl_rule_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_rule_free(t); +err: + return MNL_CB_OK; +} + +static struct nftnl_rule *setup_rule(uint8_t family, const char *table, + const char *chain, const char *handle) +{ + struct nftnl_rule *r; + uint64_t handle_num; + + r = nftnl_rule_alloc(); + if (r == NULL) + return NULL; + + if (table != NULL) + nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table); + if (chain != NULL) + nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain); + + nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); + + if (handle != NULL) { + handle_num = atoll(handle); + nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num); + } + + return r; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, type = NFTNL_OUTPUT_DEFAULT; + const char *table = NULL, *chain = NULL; + struct nftnl_rule *r; + int ret, family; + + if (argc < 2 || argc > 5) { + fprintf(stderr, "Usage: %s <family> [<table> <chain>]\n", + argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else if (strcmp(argv[1], "unspec") == 0) + family = NFPROTO_UNSPEC; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp, unspec\n"); + exit(EXIT_FAILURE); + } + + /* at least [<table> <chain>] specified */ + if (argc >= 4) { + table = argv[2]; + chain = argv[3]; + } + + seq = time(NULL); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, + NLM_F_DUMP, seq); + + r = setup_rule(family, table, chain, NULL); + if (!r) { + perror("setup_rule"); + exit(EXIT_FAILURE); + } + nftnl_rule_nlmsg_build_payload(nlh, r); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, table_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-ruleset-get.c b/examples/nft-ruleset-get.c new file mode 100644 index 0000000..34ebe1f --- /dev/null +++ b/examples/nft-ruleset-get.c @@ -0,0 +1,377 @@ +/* + * Copyright (c) 2013 Arturo Borrero Gonzalez <arturo@debian.org> + * + * based on previous code from: + * + * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org> + * + * it under the terms of the GNU General Public License as published + * by the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> +#include <errno.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/common.h> +#include <libnftnl/ruleset.h> +#include <libnftnl/table.h> +#include <libnftnl/chain.h> +#include <libnftnl/set.h> +#include <libnftnl/rule.h> + +static int seq; + +static void memory_allocation_error(void) +{ + perror("OOM"); + exit(EXIT_FAILURE); +} + +static int +mnl_talk(struct mnl_socket *nf_sock, const void *data, unsigned int len, + int (*cb)(const struct nlmsghdr *nlh, void *data), void *cb_data) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + uint32_t portid = mnl_socket_get_portid(nf_sock); + int ret; + + if (mnl_socket_sendto(nf_sock, data, len) < 0) + return -1; + + ret = mnl_socket_recvfrom(nf_sock, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, cb, cb_data); + if (ret <= 0) + goto out; + + ret = mnl_socket_recvfrom(nf_sock, buf, sizeof(buf)); + } +out: + if (ret < 0 && errno == EAGAIN) + return 0; + + return ret; +} + +/* + * Rule + */ +static int rule_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_rule_list *nlr_list = data; + struct nftnl_rule *r; + + r = nftnl_rule_alloc(); + if (r == NULL) + memory_allocation_error(); + + if (nftnl_rule_nlmsg_parse(nlh, r) < 0) + goto err_free; + + nftnl_rule_list_add_tail(r, nlr_list); + return MNL_CB_OK; + +err_free: + nftnl_rule_free(r); + return MNL_CB_OK; +} + +static struct nftnl_rule_list *mnl_rule_dump(struct mnl_socket *nf_sock, + int family) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct nftnl_rule_list *nlr_list; + int ret; + + nlr_list = nftnl_rule_list_alloc(); + if (nlr_list == NULL) + memory_allocation_error(); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, + NLM_F_DUMP, seq); + + ret = mnl_talk(nf_sock, nlh, nlh->nlmsg_len, rule_cb, nlr_list); + if (ret < 0) + goto err; + + return nlr_list; +err: + nftnl_rule_list_free(nlr_list); + return NULL; +} + +/* + * Chain + */ +static int chain_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_chain_list *nlc_list = data; + struct nftnl_chain *c; + + c = nftnl_chain_alloc(); + if (c == NULL) + memory_allocation_error(); + + if (nftnl_chain_nlmsg_parse(nlh, c) < 0) + goto err_free; + + nftnl_chain_list_add_tail(c, nlc_list); + return MNL_CB_OK; + +err_free: + nftnl_chain_free(c); + return MNL_CB_OK; +} + +static struct nftnl_chain_list *mnl_chain_dump(struct mnl_socket *nf_sock, + int family) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct nftnl_chain_list *nlc_list; + int ret; + + nlc_list = nftnl_chain_list_alloc(); + if (nlc_list == NULL) + memory_allocation_error(); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, + NLM_F_DUMP, seq); + + ret = mnl_talk(nf_sock, nlh, nlh->nlmsg_len, chain_cb, nlc_list); + if (ret < 0) + goto err; + + return nlc_list; +err: + nftnl_chain_list_free(nlc_list); + return NULL; +} + +/* + * Table + */ +static int table_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_table_list *nlt_list = data; + struct nftnl_table *t; + + t = nftnl_table_alloc(); + if (t == NULL) + memory_allocation_error(); + + if (nftnl_table_nlmsg_parse(nlh, t) < 0) + goto err_free; + + nftnl_table_list_add_tail(t, nlt_list); + return MNL_CB_OK; + +err_free: + nftnl_table_free(t); + return MNL_CB_OK; +} + +static struct nftnl_table_list *mnl_table_dump(struct mnl_socket *nf_sock, + int family) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct nftnl_table_list *nlt_list; + int ret; + + nlt_list = nftnl_table_list_alloc(); + if (nlt_list == NULL) + memory_allocation_error(); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, + NLM_F_DUMP, seq); + + ret = mnl_talk(nf_sock, nlh, nlh->nlmsg_len, table_cb, nlt_list); + if (ret < 0) + goto err; + + return nlt_list; +err: + nftnl_table_list_free(nlt_list); + return NULL; +} + +/* + * Set elements + */ +static int set_elem_cb(const struct nlmsghdr *nlh, void *data) +{ + nftnl_set_elems_nlmsg_parse(nlh, data); + return MNL_CB_OK; +} + +static int mnl_setelem_get(struct mnl_socket *nf_sock, struct nftnl_set *nls) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t family = nftnl_set_get_u32(nls, NFTNL_SET_FAMILY); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM, family, + NLM_F_DUMP | NLM_F_ACK, seq); + nftnl_set_nlmsg_build_payload(nlh, nls); + + return mnl_talk(nf_sock, nlh, nlh->nlmsg_len, set_elem_cb, nls); +} + +/* + * Set + */ +static int set_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_set_list *nls_list = data; + struct nftnl_set *s; + + s = nftnl_set_alloc(); + if (s == NULL) + memory_allocation_error(); + + if (nftnl_set_nlmsg_parse(nlh, s) < 0) + goto err_free; + + nftnl_set_list_add_tail(s, nls_list); + return MNL_CB_OK; + +err_free: + nftnl_set_free(s); + return MNL_CB_OK; +} + +static struct nftnl_set_list * +mnl_set_dump(struct mnl_socket *nf_sock, int family) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct nftnl_set *s; + struct nftnl_set_list *nls_list; + struct nftnl_set *si; + struct nftnl_set_list_iter *i; + int ret; + + s = nftnl_set_alloc(); + if (s == NULL) + memory_allocation_error(); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family, + NLM_F_DUMP | NLM_F_ACK, seq); + nftnl_set_nlmsg_build_payload(nlh, s); + nftnl_set_free(s); + + nls_list = nftnl_set_list_alloc(); + if (nls_list == NULL) + memory_allocation_error(); + + ret = mnl_talk(nf_sock, nlh, nlh->nlmsg_len, set_cb, nls_list); + if (ret < 0) + goto err; + + i = nftnl_set_list_iter_create(nls_list); + if (i == NULL) + memory_allocation_error(); + + si = nftnl_set_list_iter_next(i); + while (si != NULL) { + if (mnl_setelem_get(nf_sock, si) != 0) { + perror("E: Unable to get set elements"); + nftnl_set_list_iter_destroy(i); + goto err; + } + si = nftnl_set_list_iter_next(i); + } + + nftnl_set_list_iter_destroy(i); + + return nls_list; +err: + nftnl_set_list_free(nls_list); + return NULL; +} + +/* + * ruleset + */ + +static struct nftnl_ruleset *mnl_ruleset_dump(struct mnl_socket *nf_sock) +{ + struct nftnl_ruleset *rs; + struct nftnl_table_list *t; + struct nftnl_chain_list *c; + struct nftnl_set_list *s; + struct nftnl_rule_list *r; + + rs = nftnl_ruleset_alloc(); + if (rs == NULL) + memory_allocation_error(); + + t = mnl_table_dump(nf_sock, NFPROTO_UNSPEC); + if (t != NULL) + nftnl_ruleset_set(rs, NFTNL_RULESET_TABLELIST, t); + + c = mnl_chain_dump(nf_sock, NFPROTO_UNSPEC); + if (c != NULL) + nftnl_ruleset_set(rs, NFTNL_RULESET_CHAINLIST, c); + + s = mnl_set_dump(nf_sock, NFPROTO_UNSPEC); + if (s != NULL) + nftnl_ruleset_set(rs, NFTNL_RULESET_SETLIST, s); + + r = mnl_rule_dump(nf_sock, NFPROTO_UNSPEC); + if (r != NULL) + nftnl_ruleset_set(rs, NFTNL_RULESET_RULELIST, r); + + return rs; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + struct nftnl_ruleset *rs; + int ret; + + if (argc > 2) { + fprintf(stderr, "%s\n", argv[0]); + exit(EXIT_FAILURE); + } + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + seq = time(NULL); + + rs = mnl_ruleset_dump(nl); + if (rs == NULL) { + perror("ruleset_dump"); + exit(EXIT_FAILURE); + } + + ret = nftnl_ruleset_fprintf(stdout, rs, type, 0); + fprintf(stdout, "\n"); + + if (ret == -1) + perror("E: Error during fprintf operations"); + + return 0; +} diff --git a/examples/nft-set-add.c b/examples/nft-set-add.c new file mode 100644 index 0000000..109e33a --- /dev/null +++ b/examples/nft-set-add.c @@ -0,0 +1,137 @@ +/* + * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <stddef.h> /* for offsetof */ +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <arpa/inet.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/set.h> + +static struct nftnl_set *setup_set(uint8_t family, const char *table, + const char *name) +{ + struct nftnl_set *s = NULL; + + s = nftnl_set_alloc(); + if (s == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + nftnl_set_set_str(s, NFTNL_SET_TABLE, table); + nftnl_set_set_str(s, NFTNL_SET_NAME, name); + nftnl_set_set_u32(s, NFTNL_SET_FAMILY, family); + nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, sizeof(uint16_t)); + /* inet service type, see nftables/include/datatypes.h */ + nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, 13); + nftnl_set_set_u32(s, NFTNL_SET_ID, 1); + + return s; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + struct nftnl_set *s; + struct nlmsghdr *nlh; + struct mnl_nlmsg_batch *batch; + uint8_t family; + char buf[MNL_SOCKET_BUFFER_SIZE]; + uint32_t seq = time(NULL); + int ret; + + if (argc != 4) { + fprintf(stderr, "Usage: %s <family> <table> <setname>\n", argv[0]); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + s = setup_set(family, argv[2], argv[3]); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + NLM_F_CREATE | NLM_F_ACK, seq++); + + nftnl_set_nlmsg_build_payload(nlh, s); + nftnl_set_free(s); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret == -1) { + perror("mnl_socket_sendto"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + if (ret == -1) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL); + if (ret < 0) { + perror("mnl_cb_run"); + exit(EXIT_FAILURE); + } + + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-set-del.c b/examples/nft-set-del.c new file mode 100644 index 0000000..5e8dea9 --- /dev/null +++ b/examples/nft-set-del.c @@ -0,0 +1,112 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/set.h> + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct mnl_nlmsg_batch *batch; + uint32_t portid, seq, family; + struct nftnl_set *t = NULL; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <set>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + seq = time(NULL); + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELSET, family, NLM_F_ACK, seq); + nftnl_set_set_str(t, NFTNL_SET_TABLE, argv[2]); + nftnl_set_set_str(t, NFTNL_SET_NAME, argv[3]); + + nftnl_set_nlmsg_build_payload(nlh, t); + nftnl_set_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret < 0) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL); + if (ret < 0) { + perror("mnl_cb_run"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-set-elem-add.c b/examples/nft-set-elem-add.c new file mode 100644 index 0000000..4b8b37c --- /dev/null +++ b/examples/nft-set-elem-add.c @@ -0,0 +1,135 @@ +/* + * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/set.h> + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct mnl_nlmsg_batch *batch; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + struct nftnl_set *s; + struct nftnl_set_elem *e; + uint16_t data; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <set>\n", argv[0]); + exit(EXIT_FAILURE); + } + + s = nftnl_set_alloc(); + if (s == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + seq = time(NULL); + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + nftnl_set_set_str(s, NFTNL_SET_TABLE, argv[2]); + nftnl_set_set_str(s, NFTNL_SET_NAME, argv[3]); + + /* Add to dummy elements to set */ + e = nftnl_set_elem_alloc(); + if (e == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + data = 0x1; + nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &data, sizeof(data)); + nftnl_set_elem_add(s, e); + + e = nftnl_set_elem_alloc(); + if (e == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + data = 0x2; + nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &data, sizeof(data)); + nftnl_set_elem_add(s, e); + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSETELEM, family, + NLM_F_CREATE | NLM_F_EXCL | NLM_F_ACK, + seq++); + nftnl_set_elems_nlmsg_build_payload(nlh, s); + nftnl_set_free(s); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-set-elem-del.c b/examples/nft-set-elem-del.c new file mode 100644 index 0000000..1e6c90d --- /dev/null +++ b/examples/nft-set-elem-del.c @@ -0,0 +1,134 @@ +/* + * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/set.h> + +int main(int argc, char *argv[]) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct mnl_nlmsg_batch *batch; + uint32_t portid, seq, family; + struct nftnl_set_elem *e; + struct mnl_socket *nl; + struct nlmsghdr *nlh; + struct nftnl_set *s; + uint16_t data; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <table> <set>\n", argv[0]); + exit(EXIT_FAILURE); + } + + s = nftnl_set_alloc(); + if (s == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + seq = time(NULL); + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + nftnl_set_set_str(s, NFTNL_SET_TABLE, argv[2]); + nftnl_set_set_str(s, NFTNL_SET_NAME, argv[3]); + + /* Add to dummy elements to set */ + e = nftnl_set_elem_alloc(); + if (e == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + data = 0x1; + nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &data, sizeof(data)); + nftnl_set_elem_add(s, e); + + e = nftnl_set_elem_alloc(); + if (e == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + data = 0x2; + nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &data, sizeof(data)); + nftnl_set_elem_add(s, e); + + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELSETELEM, family, NLM_F_ACK, seq); + nftnl_set_elems_nlmsg_build_payload(nlh, s); + nftnl_set_free(s); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)); + if (ret == -1) { + perror("mnl_socket_sendto"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-set-elem-get.c b/examples/nft-set-elem-get.c new file mode 100644 index 0000000..7f99a60 --- /dev/null +++ b/examples/nft-set-elem-get.c @@ -0,0 +1,122 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/set.h> + +static int set_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_set *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_set_elems_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_set_nlmsg_parse"); + goto err_free; + } + + nftnl_set_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_set_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + struct nftnl_set *t = NULL; + int ret; + + if (argc < 4 || argc > 5) { + fprintf(stderr, "%s <family> <table> <set>\n", argv[0]); + return EXIT_FAILURE; + } + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + seq = time(NULL); + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + exit(EXIT_FAILURE); + } + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM, family, + NLM_F_DUMP | NLM_F_ACK, seq); + nftnl_set_set_str(t, NFTNL_SET_NAME, argv[3]); + nftnl_set_set_str(t, NFTNL_SET_TABLE, argv[2]); + nftnl_set_elems_nlmsg_build_payload(nlh, t); + nftnl_set_free(t); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, set_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-set-get.c b/examples/nft-set-get.c new file mode 100644 index 0000000..48a0699 --- /dev/null +++ b/examples/nft-set-get.c @@ -0,0 +1,124 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/set.h> + +static int set_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_set *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_set_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_set_nlmsg_parse"); + goto err_free; + } + + nftnl_set_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_set_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + struct nftnl_set *t = NULL; + int ret; + + if (argc < 2 || argc > 3) { + fprintf(stderr, "%s <family>\n", argv[0]); + return EXIT_FAILURE; + } + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + seq = time(NULL); + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else if (strcmp(argv[1], "unspec") == 0) + family = NFPROTO_UNSPEC; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp, unspec\n"); + exit(EXIT_FAILURE); + } + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family, + NLM_F_DUMP | NLM_F_ACK, seq); + /* Use this below if you want to obtain sets per table */ +/* nftnl_set_set(t, NFT_SET_TABLE, argv[2]); */ + nftnl_set_nlmsg_build_payload(nlh, t); + nftnl_set_free(t); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, set_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-table-add.c b/examples/nft-table-add.c new file mode 100644 index 0000000..3d54e0e --- /dev/null +++ b/examples/nft-table-add.c @@ -0,0 +1,126 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/table.h> + +static struct nftnl_table *table_add_parse(int argc, char *argv[]) +{ + struct nftnl_table *t; + uint16_t family; + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + return NULL; + } + + t = nftnl_table_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, family); + nftnl_table_set_str(t, NFTNL_TABLE_NAME, argv[2]); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, table_seq, family; + struct nftnl_table *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 3) { + fprintf(stderr, "%s <family> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = table_add_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + table_seq = seq; + family = nftnl_table_get_u32(t, NFTNL_TABLE_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWTABLE, family, + NLM_F_CREATE | NLM_F_ACK, seq++); + nftnl_table_nlmsg_build_payload(nlh, t); + nftnl_table_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, table_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-table-del.c b/examples/nft-table-del.c new file mode 100644 index 0000000..44f0b1f --- /dev/null +++ b/examples/nft-table-del.c @@ -0,0 +1,126 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/table.h> + +static struct nftnl_table *table_del_parse(int argc, char *argv[]) +{ + struct nftnl_table *t; + uint16_t family; + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n"); + return NULL; + } + + t = nftnl_table_alloc(); + if (t == NULL) { + perror("OOM"); + return NULL; + } + + nftnl_table_set_str(t, NFTNL_TABLE_NAME, argv[2]); + nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, family); + + return t; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, table_seq, family; + struct nftnl_table *t; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 3) { + fprintf(stderr, "%s <family> <name>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = table_del_parse(argc, argv); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + table_seq = seq; + family = nftnl_table_get_u32(t, NFTNL_TABLE_FAMILY); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELTABLE, family, + NLM_F_ACK, seq++); + nftnl_table_nlmsg_build_payload(nlh, t); + mnl_nlmsg_batch_next(batch); + nftnl_table_free(t); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, table_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-table-get.c b/examples/nft-table-get.c new file mode 100644 index 0000000..58eca9c --- /dev/null +++ b/examples/nft-table-get.c @@ -0,0 +1,132 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/table.h> + +static int table_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_table *t; + char buf[4096]; + uint32_t *type = data; + + t = nftnl_table_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_table_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_table_nlmsg_parse"); + goto err_free; + } + + nftnl_table_snprintf(buf, sizeof(buf), t, *type, 0); + printf("%s\n", buf); + +err_free: + nftnl_table_free(t); +err: + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, family; + struct nftnl_table *t = NULL; + int ret; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + + if (argc < 2 || argc > 4) { + fprintf(stderr, "%s <family> [<table>]\n", argv[0]); + return EXIT_FAILURE; + } + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else if (strcmp(argv[1], "unspec") == 0) + family = NFPROTO_UNSPEC; + else { + fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp, unspec\n"); + exit(EXIT_FAILURE); + } + + if (argc == 3) { + t = nftnl_table_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + } + + seq = time(NULL); + if (t == NULL) { + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, + NLM_F_DUMP, seq); + } else { + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, + NLM_F_ACK, seq); + nftnl_table_set_str(t, NFTNL_TABLE_NAME, argv[2]); + nftnl_table_nlmsg_build_payload(nlh, t); + nftnl_table_free(t); + } + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, table_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} diff --git a/examples/nft-table-upd.c b/examples/nft-table-upd.c new file mode 100644 index 0000000..7346636 --- /dev/null +++ b/examples/nft-table-upd.c @@ -0,0 +1,124 @@ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This software has been sponsored by Sophos Astaro <http://www.sophos.com> + */ + +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <netinet/in.h> + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_tables.h> + +#include <libmnl/libmnl.h> +#include <libnftnl/table.h> + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, table_seq, family, flags; + struct nftnl_table *t = NULL; + struct mnl_nlmsg_batch *batch; + int ret; + + if (argc != 4) { + fprintf(stderr, "%s <family> <name> <state>\n", argv[0]); + exit(EXIT_FAILURE); + } + + t = nftnl_table_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + if (strcmp(argv[1], "ip") == 0) + family = NFPROTO_IPV4; + else if (strcmp(argv[1], "ip6") == 0) + family = NFPROTO_IPV6; + else if (strcmp(argv[1], "inet") == 0) + family = NFPROTO_INET; + else if (strcmp(argv[1], "bridge") == 0) + family = NFPROTO_BRIDGE; + else if (strcmp(argv[1], "arp") == 0) + family = NFPROTO_ARP; + else if (strcmp(argv[1], "netdev") == 0) + family = NFPROTO_NETDEV; + else { + fprintf(stderr, + "Unknown family: ip, ip6, inet, bridge, arp, netdev\n"); + exit(EXIT_FAILURE); + } + + if (strcmp(argv[3], "active") == 0) + flags = 0; + else if (strcmp(argv[3], "dormant") == 0) + flags = NFT_TABLE_F_DORMANT; + else { + fprintf(stderr, "Unknown state: active, dormant\n"); + exit(EXIT_FAILURE); + } + + nftnl_table_set_str(t, NFTNL_TABLE_NAME, argv[2]); + nftnl_table_set_u32(t, NFTNL_TABLE_FLAGS, flags); + + table_seq = seq; + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWTABLE, family, NLM_F_ACK, seq++); + nftnl_table_nlmsg_build_payload(nlh, t); + nftnl_table_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, table_seq, portid, NULL, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} |