From: Patrick McHardy <kaber@trash.net>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [nft RFC PATCH] src: add export operation
Date: Tue, 21 Jan 2014 14:51:33 +0000 [thread overview]
Message-ID: <20140121145131.GA6302@macbook.localnet> (raw)
In-Reply-To: <20140121140545.27264.82385.stgit@nfdev.cica.es>
On Tue, Jan 21, 2014 at 03:05:45PM +0100, Arturo Borrero Gonzalez wrote:
> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> index 2eb00b6..b4c84b1 100644
> --- a/include/linux/netfilter.h
> +++ b/include/linux/netfilter.h
> @@ -1,6 +1,8 @@
> #ifndef __LINUX_NETFILTER_H
> #define __LINUX_NETFILTER_H
>
> +#include <netinet/in.h>
> +#include <arpa/inet.h>
You shouldn't add anything to this file, its copied from the kernel and
this will get lost once its updated.
> --- a/include/netlink.h
> +++ b/include/netlink.h
> @@ -1,6 +1,8 @@
> #ifndef NFTABLES_NETLINK_H
> #define NFTABLES_NETLINK_H
>
> +#include <libnftnl/common.h>
> +#include <libnftnl/ruleset.h>
Is this really needed in the header file? I don't see any new types being
used.
> #include <libnftnl/table.h>
> #include <libnftnl/chain.h>
> #include <libnftnl/rule.h>
> @@ -136,4 +138,7 @@ extern int netlink_batch_send(struct list_head *err_list);
> extern int netlink_io_error(struct netlink_ctx *ctx,
> const struct location *loc, const char *fmt, ...);
>
> +extern struct nft_ruleset *netlink_dump_ruleset(struct netlink_ctx *ctx,
> + const struct handle *h,
> + const struct location *loc);
> #endif /* NFTABLES_NETLINK_H */
> --- a/include/rule.h
> +++ b/include/rule.h
> @@ -247,6 +249,7 @@ enum cmd_obj {
> * @seqnum: sequence number to match netlink errors
> * @union: object
> * @arg: argument data
> + * @format: info about the output format (enum nft_output_type)
> */
> struct cmd {
> struct list_head list;
> @@ -264,6 +267,7 @@ struct cmd {
> struct table *table;
> };
> const void *arg;
> + uint32_t format;
No enum defined for this?
> index b867902..11487e7 100644
> --- a/src/mnl.c
> +++ b/src/mnl.c
> @@ -9,6 +9,8 @@
> */
>
> #include <libmnl/libmnl.h>
> +#include <libnftnl/common.h>
> +#include <libnftnl/ruleset.h>
> #include <libnftnl/table.h>
> #include <libnftnl/chain.h>
> #include <libnftnl/rule.h>
> @@ -645,7 +647,8 @@ mnl_nft_set_dump(struct mnl_socket *nf_sock, int family, const char *table)
>
> nlh = nft_set_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family,
> NLM_F_DUMP|NLM_F_ACK, seq);
> - nft_set_attr_set(s, NFT_SET_ATTR_TABLE, table);
> + if (table != NULL)
> + nft_set_attr_set(s, NFT_SET_ATTR_TABLE, table);
> nft_set_nlmsg_build_payload(nlh, s);
> nft_set_free(s);
>
> @@ -733,3 +736,62 @@ int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nft_set *nls)
>
> return mnl_talk(nf_sock, nlh, nlh->nlmsg_len, set_elem_cb, nls);
> }
> +
> +/*
> + * ruleset
> + */
> +struct nft_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock,
> + uint32_t family)
> +{
> + struct nft_ruleset *rs;
> + struct nft_table_list *t;
> + struct nft_chain_list *c;
> + struct nft_set_list *sl;
> + struct nft_set_list_iter *i;
> + struct nft_set *s;
> + struct nft_rule_list *r;
> + int ret = 0;
> +
> + rs = nft_ruleset_alloc();
> + if (rs == NULL)
> + memory_allocation_error();
> +
> + t = mnl_nft_table_dump(nf_sock, family);
> + if (t != NULL)
> + nft_ruleset_attr_set(rs, NFT_RULESET_ATTR_TABLELIST, t);
> +
> + c = mnl_nft_chain_dump(nf_sock, family);
> + if (c != NULL)
> + nft_ruleset_attr_set(rs, NFT_RULESET_ATTR_CHAINLIST, c);
> +
> + sl = mnl_nft_set_dump(nf_sock, family, NULL);
> + if (sl != NULL) {
> + i = nft_set_list_iter_create(sl);
> + s = nft_set_list_iter_next(i);
> + while (s != NULL) {
> + ret = mnl_nft_setelem_get(nf_sock, s);
> + if (ret != 0)
> + goto out;
> +
> + s = nft_set_list_iter_next(i);
> + }
> + nft_set_list_iter_destroy(i);
> +
> + nft_ruleset_attr_set(rs, NFT_RULESET_ATTR_SETLIST, sl);
> + }
> +
> + r = mnl_nft_rule_dump(nf_sock, family);
> + if (r != NULL)
> + nft_ruleset_attr_set(rs, NFT_RULESET_ATTR_RULELIST, r);
> +
> + if (!(nft_ruleset_attr_is_set(rs, NFT_RULESET_ATTR_TABLELIST))
> + && !(nft_ruleset_attr_is_set(rs, NFT_RULESET_ATTR_CHAINLIST))
> + && !(nft_ruleset_attr_is_set(rs, NFT_RULESET_ATTR_SETLIST))
> + && !(nft_ruleset_attr_is_set(rs, NFT_RULESET_ATTR_RULELIST)))
Please keep those && at the end of each line, I'd prefer to have a
consistent style throughout the code.
> + goto out;
> +
> + return rs;
> +out:
> + nft_ruleset_free(rs);
> + return NULL;
> +}
> diff --git a/src/netlink.c b/src/netlink.c
> index 7f69995..d6de8d9 100644
> --- a/src/netlink.c
> +++ b/src/netlink.c
> @@ -19,7 +19,7 @@
> #include <libnftnl/expr.h>
> #include <libnftnl/set.h>
> #include <linux/netfilter/nf_tables.h>
> -
> +#include <linux/netfilter.h>
Seems this is where you should add those includes you added to netfilter.h?
> #include <nftables.h>
> #include <netlink.h>
> #include <mnl.h>
> @@ -1048,3 +1048,17 @@ int netlink_batch_send(struct list_head *err_list)
> {
> return mnl_batch_talk(nf_sock, err_list);
> }
> +
> +struct nft_ruleset *netlink_dump_ruleset(struct netlink_ctx *ctx,
> + const struct handle *h,
> + const struct location *loc)
> +{
> + struct nft_ruleset *rs;
> +
> + rs = mnl_nft_ruleset_dump(nf_sock, h->family);
> + if (rs == NULL)
> + netlink_io_error(ctx, loc, "Could not receive ruleset: %s",
> + strerror(errno));
> +
> + return rs;
> +}
> diff --git a/src/parser.y b/src/parser.y
> index 345d8d0..fff63d3 100644
> --- a/src/parser.y
> +++ b/src/parser.y
> @@ -19,6 +19,8 @@
> #include <linux/netfilter/nf_tables.h>
> #include <linux/netfilter/nf_conntrack_tuple_common.h>
>
> +#include <libnftnl/common.h>
> +
>From nftables POV, this is just as external as any of the preceeding
includes, so you don't need to add a separate section for libnftnl.
> #include <rule.h>
> #include <statement.h>
> #include <expression.h>
> +export_cmd : export_format
> + {
> + struct handle h = { .family = NFPROTO_UNSPEC };
> + $$ = cmd_alloc(CMD_EXPORT, 0, &h, &@$, NULL);
Just for consistency, please add a CMD_OBJ_RULESET.
> --- a/src/rule.c
> +++ b/src/rule.c
> @@ -18,6 +18,10 @@
> #include <statement.h>
> #include <rule.h>
> #include <utils.h>
> +#include <netlink.h>
> +
> +#include <libnftnl/common.h>
> +#include <libnftnl/ruleset.h>
Same comment as for parser.y.
>
> #include <netinet/ip.h>
> #include <linux/netfilter.h>
> @@ -431,6 +435,10 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
> void cmd_free(struct cmd *cmd)
> {
> handle_free(&cmd->handle);
> +
> + if (cmd->op == CMD_EXPORT)
> + goto free;
> +
Why do we need this? Both data and arg should be NULL anyway.
> if (cmd->data != NULL) {
> switch (cmd->obj) {
> case CMD_OBJ_SETELEM:
> @@ -453,6 +461,7 @@ void cmd_free(struct cmd *cmd)
> }
> }
> xfree(cmd->arg);
> +free:
> xfree(cmd);
> }
>
next prev parent reply other threads:[~2014-01-21 14:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-21 14:05 [nft RFC PATCH] src: add export operation Arturo Borrero Gonzalez
2014-01-21 14:51 ` Patrick McHardy [this message]
2014-01-21 16:07 ` Arturo Borrero Gonzalez
2014-01-21 16:16 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140121145131.GA6302@macbook.localnet \
--to=kaber@trash.net \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.