[libnftnl PATCH v2 1/3] example: fix the example for deleting rules

[libnftnl PATCH v2 1/3] example: fix the example for deleting rules

[Alvaro Neira Ayuso]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Fixed the example for deleting rules. Before this patch,
the program tried to delete the rule without using
the correct header

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
v2: Fixed wrong coding style

 examples/nft-rule-del.c |   43 +++++++++++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)

diff --git a/examples/nft-rule-del.c b/examples/nft-rule-del.c
index 6f665b0..b29c757 100644
--- a/examples/nft-rule-del.c
+++ b/examples/nft-rule-del.c
@@ -17,15 +17,33 @@
 
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_tables.h>
+#include <linux/netfilter/nfnetlink.h>
 
 #include <libmnl/libmnl.h>
 #include <libnftnl/rule.h>
 
+static void nft_mnl_batch_put(char *buf, uint16_t type, uint32_t seq)
+{
+	struct nlmsghdr *nlh;
+	struct nfgenmsg *nfg;
+
+	nlh = mnl_nlmsg_put_header(buf);
+	nlh->nlmsg_type = type;
+	nlh->nlmsg_flags = NLM_F_REQUEST;
+	nlh->nlmsg_seq = seq;
+
+	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
+	nfg->nfgen_family = AF_INET;
+	nfg->version = NFNETLINK_V0;
+	nfg->res_id = NFNL_SUBSYS_NFTABLES;
+}
+
 int main(int argc, char *argv[])
 {
 	struct mnl_socket *nl;
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
+	struct mnl_nlmsg_batch *batch;
 	uint32_t portid, seq;
 	struct nft_rule *r = NULL;
 	int ret, family;
@@ -56,8 +74,6 @@ int main(int argc, char *argv[])
 	}
 
 	seq = time(NULL);
-	nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_DELRULE, family,
-					NLM_F_ACK, seq);
 	nft_rule_attr_set(r, NFT_RULE_ATTR_TABLE, argv[2]);
 	nft_rule_attr_set(r, NFT_RULE_ATTR_CHAIN, argv[3]);
 
@@ -69,8 +85,24 @@ int main(int argc, char *argv[])
 	nft_rule_snprintf(tmp, sizeof(tmp), r, 0, 0);
 	printf("%s\n", tmp);
 
+	batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
+
+	nft_mnl_batch_put(mnl_nlmsg_batch_current(batch),
+			  NFNL_MSG_BATCH_BEGIN, seq++);
+	mnl_nlmsg_batch_next(batch);
+
+	nlh = nft_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
+				NFT_MSG_DELRULE,
+				family,
+				NLM_F_ACK, seq++);
+
 	nft_rule_nlmsg_build_payload(nlh, r);
 	nft_rule_free(r);
+	mnl_nlmsg_batch_next(batch);
+
+	nft_mnl_batch_put(mnl_nlmsg_batch_current(batch), NFNL_MSG_BATCH_END,
+			  seq++);
+	mnl_nlmsg_batch_next(batch);
 
 	nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (nl == NULL) {
@@ -84,14 +116,17 @@ int main(int argc, char *argv[])
 	}
 	portid = mnl_socket_get_portid(nl);
 
-	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+	if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
+			      mnl_nlmsg_batch_size(batch)) < 0) {
 		perror("mnl_socket_send");
 		exit(EXIT_FAILURE);
 	}
 
+	mnl_nlmsg_batch_stop(batch);
+
 	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
 	while (ret > 0) {
-		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL);
 		if (ret <= 0)
 			break;
 		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftnl PATCH v2 2/3] example/nft-rule-insert: fixed and merged this example with nft-rule-add

[Alvaro Neira Ayuso]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Merged the example for inserting rules and fixed for using
the correct header.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
v2: Fixed some style error, removed useless code lines and used the correct function 
for setting an attribute.

 examples/Makefile.am       |    1 
 examples/nft-rule-add.c    |   15 +++
 examples/nft-rule-insert.c |  204 --------------------------------------------
 3 files changed, 12 insertions(+), 208 deletions(-)
 delete mode 100644 examples/nft-rule-insert.c

diff --git a/examples/Makefile.am b/examples/Makefile.am
index b433b2d..54b1dfb 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -12,7 +12,6 @@ check_PROGRAMS = nft-table-add		\
 		 nft-chain-del		\
 		 nft-chain-get		\
 		 nft-rule-add		\
-		 nft-rule-insert	\
 		 nft-rule-xml-add	\
 		 nft-rule-json-add	\
 		 nft-rule-del		\
diff --git a/examples/nft-rule-add.c b/examples/nft-rule-add.c
index 21b3bf8..6961d0d 100644
--- a/examples/nft-rule-add.c
+++ b/examples/nft-rule-add.c
@@ -80,11 +80,12 @@ static void add_counter(struct nft_rule *r)
 }
 
 static struct nft_rule *setup_rule(uint8_t family, const char *table,
-				   const char *chain)
+				   const char *chain, const char *handle)
 {
 	struct nft_rule *r = NULL;
 	uint8_t proto;
 	uint16_t dport;
+	uint64_t handle_num;
 
 	r = nft_rule_alloc();
 	if (r == NULL) {
@@ -96,6 +97,11 @@ static struct nft_rule *setup_rule(uint8_t family, const char *table,
 	nft_rule_attr_set(r, NFT_RULE_ATTR_CHAIN, chain);
 	nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FAMILY, family);
 
+	if (handle != NULL) {
+		handle_num = atoll(handle);
+		nft_rule_attr_set_u64(r, NFT_RULE_ATTR_POSITION, handle_num);
+	}
+
 	proto = IPPROTO_TCP;
 	add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1,
 		    offsetof(struct iphdr, protocol), sizeof(uint8_t));
@@ -138,7 +144,7 @@ int main(int argc, char *argv[])
 	uint32_t seq = time(NULL);
 	int ret;
 
-	if (argc != 4) {
+	if (argc < 4 || argc > 5) {
 		fprintf(stderr, "Usage: %s <family> <table> <chain>\n", argv[0]);
 		exit(EXIT_FAILURE);
 	}
@@ -152,7 +158,10 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
-	r = setup_rule(family, argv[2], argv[3]);
+	if (argc != 5)
+		r = setup_rule(family, argv[2], argv[3], NULL);
+	else
+		r = setup_rule(family, argv[2], argv[3], argv[4]);
 
 	nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (nl == NULL) {
diff --git a/examples/nft-rule-insert.c b/examples/nft-rule-insert.c
deleted file mode 100644
index 1b377de..0000000
--- a/examples/nft-rule-insert.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
- * (C) 2013 by Eric Leblond <eric@regit.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
- */
-
-#include <stdlib.h>
-#include <time.h>
-#include <string.h>
-#include <stddef.h>	/* for offsetof */
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <linux/netfilter/nf_tables.h>
-
-#include <libmnl/libmnl.h>
-#include <libnftnl/rule.h>
-#include <libnftnl/expr.h>
-
-#include <linux/netfilter_ipv4/ipt_LOG.h>
-#include <linux/netfilter/xt_iprange.h>
-
-#include <netinet/ip.h>
-
-static void add_target_log(struct nft_rule_expr *e)
-{
-	struct ipt_log_info *info;
-
-	nft_rule_expr_set(e, NFT_EXPR_TG_NAME, "LOG", strlen("LOG"));
-	nft_rule_expr_set_u32(e, NFT_EXPR_TG_REV, 0);
-
-	info = calloc(1, sizeof(struct ipt_log_info));
-	if (info == NULL)
-		return;
-
-	sprintf(info->prefix, "test: ");
-	info->prefix[sizeof(info->prefix)-1] = '\0';
-	info->logflags = 0x0f;
-	info->level = 5;
-
-	nft_rule_expr_set(e, NFT_EXPR_TG_INFO, info, sizeof(*info));
-}
-
-static void add_expr_target(struct nft_rule *r)
-{
-	struct nft_rule_expr *expr;
-
-	expr = nft_rule_expr_alloc("target");
-	if (expr == NULL)
-		return;
-
-	add_target_log(expr);
-
-	nft_rule_add_expr(r, expr);
-}
-
-static void add_match_iprange(struct nft_rule_expr *e)
-{
-	struct xt_iprange_mtinfo *info;
-
-	nft_rule_expr_set(e, NFT_EXPR_MT_NAME, "iprange", strlen("iprange"));
-	nft_rule_expr_set_u32(e, NFT_EXPR_MT_REV, 1);
-
-	info = calloc(1, sizeof(struct xt_iprange_mtinfo));
-	if (info == NULL)
-		return;
-
-	info->src_min.ip = info->dst_min.ip = inet_addr("127.0.0.1");
-	info->src_max.ip = info->dst_max.ip = inet_addr("127.0.0.1");
-	info->flags = IPRANGE_SRC;
-
-	nft_rule_expr_set(e, NFT_EXPR_MT_INFO, info, sizeof(*info));
-}
-
-static void add_expr_match(struct nft_rule *r)
-{
-	struct nft_rule_expr *expr;
-
-	expr = nft_rule_expr_alloc("match");
-	if (expr == NULL)
-		return;
-
-	add_match_iprange(expr);
-
-	nft_rule_add_expr(r, expr);
-}
-
-#define field_sizeof(t, f)	(sizeof(((t *)NULL)->f))
-
-static void add_payload2(struct nft_rule_expr *e)
-{
-	nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_BASE,
-			      NFT_PAYLOAD_NETWORK_HEADER);
-	nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_DREG, NFT_REG_1);
-	nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_OFFSET,
-			      offsetof(struct iphdr, protocol));
-	nft_rule_expr_set_u32(e, NFT_EXPR_PAYLOAD_LEN, 1);
-}
-
-static void add_payload(struct nft_rule *r)
-{
-	struct nft_rule_expr *expr;
-
-	expr = nft_rule_expr_alloc("payload");
-	if (expr == NULL)
-		return;
-
-	add_payload2(expr);
-
-	nft_rule_add_expr(r, expr);
-}
-
-int main(int argc, char *argv[])
-{
-	struct mnl_socket *nl;
-	char buf[MNL_SOCKET_BUFFER_SIZE];
-	struct nlmsghdr *nlh;
-	uint32_t portid, seq;
-	struct nft_rule *r = NULL;
-	int ret, family;
-	uint64_t handle;
-
-	if (argc != 5) {
-		fprintf(stderr, "Usage: %s <family> <table> <chain> <handle>\n",
-			argv[0]);
-		exit(EXIT_FAILURE);
-	}
-
-	r = nft_rule_alloc();
-	if (r == NULL) {
-		perror("OOM");
-		exit(EXIT_FAILURE);
-	}
-
-	if (strcmp(argv[1], "ip") == 0)
-		family = AF_INET;
-	else if (strcmp(argv[1], "ip6") == 0)
-		family = AF_INET6;
-	else if (strcmp(argv[1], "bridge") == 0)
-		family = AF_BRIDGE;
-	else {
-		fprintf(stderr, "Unknown family: ip, ip6, bridge\n");
-		exit(EXIT_FAILURE);
-	}
-
-	nft_rule_attr_set(r, NFT_RULE_ATTR_TABLE, argv[2]);
-	nft_rule_attr_set(r, NFT_RULE_ATTR_CHAIN, argv[3]);
-
-	handle = atoi(argv[4]);
-	nft_rule_attr_set(r, NFT_RULE_ATTR_POSITION, &handle);
-
-	add_expr_match(r);
-	add_payload(r);
-	add_expr_target(r);
-
-	char tmp[1024];
-	nft_rule_snprintf(tmp, sizeof(tmp), r, 0, 0);
-	printf("%s\n", tmp);
-
-	seq = time(NULL);
-	nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, family,
-					NLM_F_ACK|NLM_F_CREATE,
-					seq);
-	nft_rule_nlmsg_build_payload(nlh, r);
-	nft_rule_free(r);
-
-	nl = mnl_socket_open(NETLINK_NETFILTER);
-	if (nl == NULL) {
-		perror("mnl_socket_open");
-		exit(EXIT_FAILURE);
-	}
-
-	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
-		perror("mnl_socket_bind");
-		exit(EXIT_FAILURE);
-	}
-	portid = mnl_socket_get_portid(nl);
-
-	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
-		perror("mnl_socket_send");
-		exit(EXIT_FAILURE);
-	}
-
-	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
-	while (ret > 0) {
-		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
-		if (ret <= 0)
-			break;
-		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
-	}
-	if (ret == -1) {
-		perror("error");
-		exit(EXIT_FAILURE);
-	}
-	mnl_socket_close(nl);
-
-	return EXIT_SUCCESS;
-}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftnl PATCH v2 2/3] example/nft-rule-insert: fixed and merged this example with nft-rule-add

[Pablo Neira Ayuso]

On Sat, Mar 08, 2014 at 04:22:33PM +0100, Alvaro Neira Ayuso wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
> 
> Merged the example for inserting rules and fixed for using
> the correct header.

Also applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[libnftnl PATCH v2 3/3] example: removed printf rule function

[Alvaro Neira Ayuso]

From: Álvaro Neira Ayuso <alvaroneay@gmail.com>

Removed this code because with that we have a strange
output. Example:

we have a rule with handle 4 and we execute
nft-rule-del ip filter input 4

Output: unknown filter input 4 0

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
 examples/nft-rule-del.c |    4 ----
 1 file changed, 4 deletions(-)

diff --git a/examples/nft-rule-del.c b/examples/nft-rule-del.c
index b29c757..cec9440 100644
--- a/examples/nft-rule-del.c
+++ b/examples/nft-rule-del.c
@@ -81,10 +81,6 @@ int main(int argc, char *argv[])
 	if (argc == 5)
 		nft_rule_attr_set_u64(r, NFT_RULE_ATTR_HANDLE, atoi(argv[4]));
 
-	char tmp[1024];
-	nft_rule_snprintf(tmp, sizeof(tmp), r, 0, 0);
-	printf("%s\n", tmp);
-
 	batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
 
 	nft_mnl_batch_put(mnl_nlmsg_batch_current(batch),

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftnl PATCH v2 3/3] example: removed printf rule function

[Pablo Neira Ayuso]

On Sat, Mar 08, 2014 at 04:22:48PM +0100, Alvaro Neira Ayuso wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
> 
> Removed this code because with that we have a strange
> output. Example:
> 
> we have a rule with handle 4 and we execute
> nft-rule-del ip filter input 4
> 
> Output: unknown filter input 4 0

Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftnl PATCH v2 1/3] example: fix the example for deleting rules

[Pablo Neira Ayuso]

On Sat, Mar 08, 2014 at 04:21:55PM +0100, Alvaro Neira Ayuso wrote:
> From: Álvaro Neira Ayuso <alvaroneay@gmail.com>
> 
> Fixed the example for deleting rules. Before this patch,
> the program tried to delete the rule without using
> the correct header

applied, rework the title and description a bit.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html