How to use Netlink to create a concatination based verdict-map element in nftables?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* How to use Netlink to create a concatination based verdict-map element in nftables?
@ 2017-09-14  8:59 khawar shehzad
  2017-09-18  1:14 ` Duncan Roe
  0 siblings, 1 reply; 2+ messages in thread
From: khawar shehzad @ 2017-09-14  8:59 UTC (permalink / raw)
  To: netfilter

Hi,

I have the following code but not working, can anybody have a look. I 
don't know what I am missing here.

int nft_vmap_elem_do(int action, const char* cip, const char* eip, const 
char* table, const char* vmap, const char *verdict)
{
struct mnl_socket *nl;
char buf[MNL_SOCKET_BUFFER_SIZE];
struct mnl_nlmsg_batch *batch;
struct nlmsghdr *nlh;
uint32_t portid, seq, family;
struct nftnl_set *s;
struct nftnl_set_elem *e;
uint16_t data;
int ret;
s = nftnl_set_alloc();
if (s == NULL) {
perror("OOM");
exit(EXIT_FAILURE);
}


seq = time(NULL);
family = NFPROTO_IPV6;


nftnl_set_set(s, NFTNL_SET_TABLE, table);
nftnl_set_set(s, NFTNL_SET_NAME, vmap);
nftnl_set_set_u32(s, NFTNL_SET_FLAGS, NFT_SET_MAP);


e = nftnl_set_elem_alloc();
if (e == NULL) {
perror("OOM");
exit(EXIT_FAILURE);
}


struct sockaddr_in6 sa1,sa2;
inet_pton(AF_INET6, cip, &(sa1.sin6_addr));
inet_pton(AF_INET6, eip, &(sa2.sin6_addr));
nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa1.sin6_addr), 16);
nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa2.sin6_addr), 16);
//uint32_t v = htonl(1);
uint32_t v = 1;
nftnl_set_elem_set_u32(e, NFTNL_SET_ELEM_VERDICT, v);
nftnl_set_elem_add(s, e);


batch = mnl_nlmsg_batch_start(buf, sizeof(buf));


nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
mnl_nlmsg_batch_next(batch);
switch(action){
case NFT_VMAP_ADD_ELEM:
nft_vmap_elem_do(NFT_VMAP_DEL_ELEM, cip, eip, table, vmap, verdict);
nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
NFT_MSG_NEWSETELEM, family,
NLM_F_CREATE | NLM_F_REPLACE | NLM_F_ACK,
seq++);
break;
case NFT_VMAP_DEL_ELEM:
nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
NFT_MSG_DELSETELEM, family,
NLM_F_ACK,
seq++);


break;
}
nftnl_set_elems_nlmsg_build_payload(nlh, s);
nftnl_set_free(s);
mnl_nlmsg_batch_next(batch);


nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
mnl_nlmsg_batch_next(batch);


nl = mnl_socket_open(NETLINK_NETFILTER);
if (nl == NULL) {
perror("mnl_socket_open");
exit(EXIT_FAILURE);
}


if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
perror("mnl_socket_bind");
exit(EXIT_FAILURE);
}
portid = mnl_socket_get_portid(nl);


if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
mnl_nlmsg_batch_size(batch)) < 0) {
perror("mnl_socket_send");
exit(EXIT_FAILURE);
}


mnl_nlmsg_batch_stop(batch);


ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
while (ret > 0) {
ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL);
if (ret <= 0)
break;
ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
}
if (ret == -1) {
perror("error");
//exit(EXIT_FAILURE);
}
mnl_socket_close(nl);


return EXIT_SUCCESS;
}


///////////////////////////////////////////////////////////////
Cheers,
Khawar


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: How to use Netlink to create a concatination based verdict-map element in nftables?
  2017-09-14  8:59 How to use Netlink to create a concatination based verdict-map element in nftables? khawar shehzad
@ 2017-09-18  1:14 ` Duncan Roe
  0 siblings, 0 replies; 2+ messages in thread
From: Duncan Roe @ 2017-09-18  1:14 UTC (permalink / raw)
  To: netfilter

On Thu, Sep 14, 2017 at 09:59:17AM +0100, khawar shehzad wrote:
> Hi,
>
> I have the following code but not working, can anybody have a look. I don't
> know what I am missing here.
>
> int nft_vmap_elem_do(int action, const char* cip, const char* eip, const
> char* table, const char* vmap, const char *verdict)
> {
> struct mnl_socket *nl;
> char buf[MNL_SOCKET_BUFFER_SIZE];
> struct mnl_nlmsg_batch *batch;
> struct nlmsghdr *nlh;
> uint32_t portid, seq, family;
> struct nftnl_set *s;
> struct nftnl_set_elem *e;
> uint16_t data;
> int ret;
> s = nftnl_set_alloc();
> if (s == NULL) {
> perror("OOM");
> exit(EXIT_FAILURE);
> }
>
>
> seq = time(NULL);
> family = NFPROTO_IPV6;
>
>
> nftnl_set_set(s, NFTNL_SET_TABLE, table);
> nftnl_set_set(s, NFTNL_SET_NAME, vmap);
> nftnl_set_set_u32(s, NFTNL_SET_FLAGS, NFT_SET_MAP);
>
>
> e = nftnl_set_elem_alloc();
> if (e == NULL) {
> perror("OOM");
> exit(EXIT_FAILURE);
> }
>
>
> struct sockaddr_in6 sa1,sa2;
> inet_pton(AF_INET6, cip, &(sa1.sin6_addr));
> inet_pton(AF_INET6, eip, &(sa2.sin6_addr));
> nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa1.sin6_addr), 16);
> nftnl_set_elem_set(e, NFTNL_SET_ELEM_KEY, &(sa2.sin6_addr), 16);
> //uint32_t v = htonl(1);
> uint32_t v = 1;
> nftnl_set_elem_set_u32(e, NFTNL_SET_ELEM_VERDICT, v);
> nftnl_set_elem_add(s, e);
>
>
> batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
>
>
> nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
> mnl_nlmsg_batch_next(batch);
> switch(action){
> case NFT_VMAP_ADD_ELEM:
> nft_vmap_elem_do(NFT_VMAP_DEL_ELEM, cip, eip, table, vmap, verdict);
> nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
> NFT_MSG_NEWSETELEM, family,
> NLM_F_CREATE | NLM_F_REPLACE | NLM_F_ACK,
> seq++);
> break;
> case NFT_VMAP_DEL_ELEM:
> nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
> NFT_MSG_DELSETELEM, family,
> NLM_F_ACK,
> seq++);
>
>
> break;
> }
> nftnl_set_elems_nlmsg_build_payload(nlh, s);
> nftnl_set_free(s);
> mnl_nlmsg_batch_next(batch);
>
>
> nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
> mnl_nlmsg_batch_next(batch);
>
>
> nl = mnl_socket_open(NETLINK_NETFILTER);
> if (nl == NULL) {
> perror("mnl_socket_open");
> exit(EXIT_FAILURE);
> }
>
>
> if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
> perror("mnl_socket_bind");
> exit(EXIT_FAILURE);
> }
> portid = mnl_socket_get_portid(nl);
>
>
> if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
> mnl_nlmsg_batch_size(batch)) < 0) {
> perror("mnl_socket_send");
> exit(EXIT_FAILURE);
> }
>
>
> mnl_nlmsg_batch_stop(batch);
>
>
> ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
> while (ret > 0) {
> ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL);
> if (ret <= 0)
> break;
> ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
> }
> if (ret == -1) {
> perror("error");
> //exit(EXIT_FAILURE);
> }
> mnl_socket_close(nl);
>
>
> return EXIT_SUCCESS;
> }
>
>
> ///////////////////////////////////////////////////////////////
> Cheers,
> Khawar
>
Hi Khawar,

I tried to build your code, but after inserting

#include <time.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <libnftnl/set.h>
#include <libmnl/libmnl.h>
#include <libipset/nfproto.h>
#include <linux/netfilter/nf_tables.h>

at start of the code, I am still getting NFT_VMAP_ADD_ELEM & NFT_VMAP_DEL_ELEM
undefined.

Where are they please?

Cheers ... Duncan.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-09-18  1:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-14  8:59 How to use Netlink to create a concatination based verdict-map element in nftables? khawar shehzad
2017-09-18  1:14 ` Duncan Roe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox