[iptables-nftables - PATCH 0/5] Support for -E and -R options.

[iptables-nftables - PATCH 0/5] Support for -E and -R options.

[Tomasz Bursztyka]

Hi,

5 patches to implement -E and -R options in patch 2, 4 and 5.
Patches 1 and 3 are simple fixes.

Please review,

Tomasz Bursztyka (5):
  headers: Make nf_tables.h up to date
  nft: Add support for chain rename options (-E)
  iptables: nft: Fix -D chain rulenum option
  iptables: nft: Refactor __nft_rule_check to return rule handle when
    relevant
  iptables: nft: Add support for -R option

 include/linux/netfilter/nf_tables.h |  3 ++
 iptables/nft.c                      | 79 ++++++++++++++++++++++++++-----------
 iptables/nft.h                      |  2 +-
 iptables/xtables.c                  |  3 +-
 4 files changed, 63 insertions(+), 24 deletions(-)

-- 
1.7.12.4

[iptables-nftables - PATCH 1/5] headers: Make nf_tables.h up to date

[Tomasz Bursztyka]

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 include/linux/netfilter/nf_tables.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index a6d5137..74a521a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -65,6 +65,8 @@ enum nft_chain_attributes {
 	NFTA_CHAIN_TABLE,
 	NFTA_CHAIN_NAME,
 	NFTA_CHAIN_HOOK,
+	NFTA_CHAIN_POLICY,
+	NFTA_CHAIN_USE,
 	__NFTA_CHAIN_MAX
 };
 #define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)
-- 
1.7.12.4

[iptables-nftables - PATCH 2/5] nft: Add support for chain rename options (-E)

[Tomasz Bursztyka]

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 include/linux/netfilter/nf_tables.h |  1 +
 iptables/nft.c                      | 33 ++++++++++++++++++++++++++++-----
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 74a521a..63480b3 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -67,6 +67,7 @@ enum nft_chain_attributes {
 	NFTA_CHAIN_HOOK,
 	NFTA_CHAIN_POLICY,
 	NFTA_CHAIN_USE,
+	NFTA_CHAIN_NEW_NAME,
 	__NFTA_CHAIN_MAX
 };
 #define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)
diff --git a/iptables/nft.c b/iptables/nft.c
index 6d2de99..0454725 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1570,14 +1570,37 @@ err:
 int nft_chain_user_rename(struct nft_handle *h,const char *chain,
 			  const char *table, const char *newname)
 {
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	struct nft_chain *c;
 	int ret;
 
-	/* XXX need new operation in nf_tables to support this */
-	ret = nft_chain_user_del(h, chain, table);
-	if (ret < 0)
-		return ret;
+	/* If built-in chains don't exist for this table, create them */
+	nft_chain_builtin_init(h, table, NULL, NF_ACCEPT);
 
-	return nft_chain_user_add(h, newname, table);
+	c = nft_chain_alloc();
+	if (c == NULL) {
+		DEBUGP("cannot allocate chain\n");
+		return -1;
+	}
+
+	nft_chain_attr_set(c, NFT_CHAIN_ATTR_TABLE, (char *)table);
+	nft_chain_attr_set(c, NFT_CHAIN_ATTR_NAME, (char *)chain);
+	nft_chain_attr_set(c, NFT_CHAIN_ATTR_NEW_NAME, (char *)newname);
+
+	nlh = nft_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, AF_INET,
+					NLM_F_ACK|NLM_F_REPLACE, h->seq);
+	nft_chain_nlmsg_build_payload(nlh, c);
+	nft_chain_free(c);
+
+	ret = mnl_talk(h, nlh, NULL, NULL);
+	if (ret < 0) {
+		if (errno != EEXIST)
+			perror("mnl_talk:nft_chain_rename");
+	}
+
+	/* the core expects 1 for success and 0 for error */
+	return ret == 0 ? 1 : 0;
 }
 
 static int nft_table_list_cb(const struct nlmsghdr *nlh, void *data)
-- 
1.7.12.4

[iptables-nftables - PATCH 3/5] iptables: nft: Fix -D chain rulenum option

[Tomasz Bursztyka]

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 iptables/nft.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 0454725..dfbffc7 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2231,10 +2231,10 @@ __nft_rule_check(struct nft_handle *h, const char *chain, const char *table,
 
 		if (rulenum >= 0) {
 			/* Delete by rule number case */
-			if (rule_ctr != rulenum) {
-				rule_ctr++;
+			if (rule_ctr != rulenum)
 				goto next;
-			}
+			found = true;
+			break;
 		} else {
 			/* Delete by matching rule case */
 			DEBUGP("comparing with... ");
@@ -2266,6 +2266,7 @@ __nft_rule_check(struct nft_handle *h, const char *chain, const char *table,
 			break;
 		}
 next:
+		rule_ctr++;
 		r = nft_rule_list_iter_next(iter);
 	}
 
-- 
1.7.12.4

[iptables-nftables - PATCH 4/5] iptables: nft: Refactor __nft_rule_check to return rule handle when relevant

[Tomasz Bursztyka]

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 iptables/nft.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index dfbffc7..5dfacd8 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2194,7 +2194,7 @@ __nft_rule_del(struct nft_handle *h, struct nft_rule *r)
 static int
 __nft_rule_check(struct nft_handle *h, const char *chain, const char *table,
 		 struct iptables_command_state *cs,
-		 bool delete, int rulenum, bool verbose)
+		 bool delete, bool replace, int rulenum, bool verbose)
 {
 	struct nft_rule_list *list;
 	struct nft_rule_list_iter *iter;
@@ -2276,7 +2276,8 @@ next:
 		if (delete) {
 			DEBUGP("deleting rule\n");
 			__nft_rule_del(h, r);
-		}
+		} else if (replace)
+			ret = nft_rule_attr_get_u16(r, NFT_RULE_ATTR_HANDLE);
 	}
 
 	nft_rule_list_iter_destroy(iter);
@@ -2294,7 +2295,7 @@ int nft_rule_check(struct nft_handle *h, const char *chain,
 {
 	nft_fn = nft_rule_check;
 
-	return __nft_rule_check(h, chain, table, e, false, -1, verbose);
+	return __nft_rule_check(h, chain, table, e, false, false, -1, verbose);
 }
 
 int nft_rule_delete(struct nft_handle *h, const char *chain,
@@ -2303,7 +2304,7 @@ int nft_rule_delete(struct nft_handle *h, const char *chain,
 {
 	nft_fn = nft_rule_delete;
 
-	return __nft_rule_check(h, chain, table, e, true, -1, verbose);
+	return __nft_rule_check(h, chain, table, e, true, false, -1, verbose);
 }
 
 int nft_rule_delete_num(struct nft_handle *h, const char *chain,
@@ -2312,7 +2313,8 @@ int nft_rule_delete_num(struct nft_handle *h, const char *chain,
 {
 	nft_fn = nft_rule_delete_num;
 
-	return __nft_rule_check(h, chain, table, NULL, true, rulenum, verbose);
+	return __nft_rule_check(h, chain, table,
+				NULL, true, false, rulenum, verbose);
 }
 
 int nft_rule_replace(struct nft_handle *h, const char *chain,
@@ -2323,7 +2325,8 @@ int nft_rule_replace(struct nft_handle *h, const char *chain,
 
 	nft_fn = nft_rule_replace;
 
-	ret = __nft_rule_check(h, chain, table, NULL, true, rulenum, verbose);
+	ret = __nft_rule_check(h, chain, table,
+			       NULL, false, true, rulenum, verbose);
 	if (ret < 0)
 		return ret;
 
-- 
1.7.12.4

[iptables-nftables - PATCH 5/5] iptables: nft: Add support for -R option

[Tomasz Bursztyka]

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 iptables/nft.c     | 28 ++++++++++++++++++----------
 iptables/nft.h     |  2 +-
 iptables/xtables.c |  3 ++-
 3 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 5dfacd8..de2a456 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -639,7 +639,8 @@ static void add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes)
 
 int
 nft_rule_add(struct nft_handle *h, const char *chain, const char *table,
-	     struct iptables_command_state *cs, bool append, bool verbose)
+	     struct iptables_command_state *cs,
+	     bool append, uint16_t handle, bool verbose)
 {
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
@@ -764,8 +765,16 @@ nft_rule_add(struct nft_handle *h, const char *chain, const char *table,
 	}
 
 	/* NLM_F_CREATE autoloads the built-in table if it does not exists */
-	nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET,
-					NLM_F_ACK|NLM_F_CREATE|flags, h->seq);
+	flags |= NLM_F_ACK|NLM_F_CREATE;
+
+	if (handle > 0) {
+		nft_rule_attr_set(r, NFT_RULE_ATTR_HANDLE, &handle);
+		flags |= NLM_F_REPLACE;
+	}
+
+	nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE,
+				       AF_INET, flags, h->seq);
+
 	nft_rule_nlmsg_build_payload(nlh, r);
 
 	nft_rule_print_debug(r, nlh);
@@ -2321,17 +2330,16 @@ int nft_rule_replace(struct nft_handle *h, const char *chain,
 		     const char *table, struct iptables_command_state *cs,
 		     int rulenum, bool verbose)
 {
-	int ret;
+	int handle;
 
 	nft_fn = nft_rule_replace;
 
-	ret = __nft_rule_check(h, chain, table,
-			       NULL, false, true, rulenum, verbose);
-	if (ret < 0)
-		return ret;
+	handle = __nft_rule_check(h, chain, table,
+				  NULL, false, true, rulenum, verbose);
+	if (handle < 0)
+		return handle;
 
-	/* XXX needs to be inserted in position, this is appending */
-	return nft_rule_add(h, chain, table, cs, true, verbose);
+	return nft_rule_add(h, chain, table, cs, true, handle, verbose);
 }
 
 /*
diff --git a/iptables/nft.h b/iptables/nft.h
index f5a9efb..474e652 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -39,7 +39,7 @@ int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *t
  */
 struct nft_rule;
 
-int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, bool verbose);
+int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, uint16_t handle, bool verbose);
 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose);
 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose);
 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 0203b69..0f8826c 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -448,7 +448,8 @@ add_entry(const char *chain,
 			cs->fw.ip.dst.s_addr = daddrs[j].s_addr;
 			cs->fw.ip.dmsk.s_addr = dmasks[j].s_addr;
 
-			ret = nft_rule_add(h, chain, table, cs, append, verbose);
+			ret = nft_rule_add(h, chain, table,
+					   cs, append, 0, verbose);
 		}
 	}
 
-- 
1.7.12.4

Re: [iptables-nftables - PATCH 0/5] Support for -E and -R options.

[Pablo Neira Ayuso]

On Wed, Oct 31, 2012 at 11:31:03AM +0200, Tomasz Bursztyka wrote:
> Hi,
> 
> 5 patches to implement -E and -R options in patch 2, 4 and 5.
> Patches 1 and 3 are simple fixes.

Applied, thanks!