unsigned int flags);
int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nft_set *nls);
+struct nft_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock,
+ uint32_t family);
#endif /* _NFTABLES_MNL_H_ */
extern int netlink_io_error(struct netlink_ctx *ctx,
const struct location *loc, const char *fmt, ...);
+extern struct nft_ruleset *netlink_dump_ruleset(struct netlink_ctx *ctx,
+ const struct handle *h,
+ const struct location *loc);
#endif /* NFTABLES_NETLINK_H */
* @CMD_LIST: list container
* @CMD_FLUSH: flush container
* @CMD_RENAME: rename object
+ * @CMD_EXPORT: export the ruleset in a given format
*/
enum cmd_ops {
CMD_INVALID,
CMD_LIST,
CMD_FLUSH,
CMD_RENAME,
+ CMD_EXPORT,
};
/**
* @CMD_OBJ_RULE: rule
* @CMD_OBJ_CHAIN: chain
* @CMD_OBJ_TABLE: table
+ * @CMD_OBJ_RULESET: ruleset
*/
enum cmd_obj {
CMD_OBJ_INVALID,
CMD_OBJ_RULE,
CMD_OBJ_CHAIN,
CMD_OBJ_TABLE,
+ CMD_OBJ_RULESET,
};
/**
* @seqnum: sequence number to match netlink errors
* @union: object
* @arg: argument data
+ * @format: info about the export/import format
*/
struct cmd {
struct list_head list;
struct table *table;
};
const void *arg;
+ uint32_t format;
};
extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
case CMD_LIST:
case CMD_FLUSH:
case CMD_RENAME:
+ case CMD_EXPORT:
return 0;
default:
BUG("invalid command operation %u\n", cmd->op);
*/
#include <libmnl/libmnl.h>
+#include <libnftnl/common.h>
+#include <libnftnl/ruleset.h>
#include <libnftnl/table.h>
#include <libnftnl/chain.h>
#include <libnftnl/rule.h>
nlh = nft_set_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family,
NLM_F_DUMP|NLM_F_ACK, seq);
- nft_set_attr_set(s, NFT_SET_ATTR_TABLE, table);
+ if (table != NULL)
+ nft_set_attr_set(s, NFT_SET_ATTR_TABLE, table);
nft_set_nlmsg_build_payload(nlh, s);
nft_set_free(s);
return mnl_talk(nf_sock, nlh, nlh->nlmsg_len, set_elem_cb, nls);
}
+
+/*
+ * ruleset
+ */
+struct nft_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock,
+ uint32_t family)
+{
+ struct nft_ruleset *rs;
+ struct nft_table_list *t;
+ struct nft_chain_list *c;
+ struct nft_set_list *sl;
+ struct nft_set_list_iter *i;
+ struct nft_set *s;
+ struct nft_rule_list *r;
+ int ret = 0;
+
+ rs = nft_ruleset_alloc();
+ if (rs == NULL)
+ memory_allocation_error();
+
+ t = mnl_nft_table_dump(nf_sock, family);
+ if (t != NULL)
+ nft_ruleset_attr_set(rs, NFT_RULESET_ATTR_TABLELIST, t);
+
+ c = mnl_nft_chain_dump(nf_sock, family);
+ if (c != NULL)
+ nft_ruleset_attr_set(rs, NFT_RULESET_ATTR_CHAINLIST, c);
+
+ sl = mnl_nft_set_dump(nf_sock, family, NULL);
+ if (sl != NULL) {
+ i = nft_set_list_iter_create(sl);
+ s = nft_set_list_iter_next(i);
+ while (s != NULL) {
+ ret = mnl_nft_setelem_get(nf_sock, s);
+ if (ret != 0)
+ goto out;
+
+ s = nft_set_list_iter_next(i);
+ }
+ nft_set_list_iter_destroy(i);
+
+ nft_ruleset_attr_set(rs, NFT_RULESET_ATTR_SETLIST, sl);
+ }
+
+ r = mnl_nft_rule_dump(nf_sock, family);
+ if (r != NULL)
+ nft_ruleset_attr_set(rs, NFT_RULESET_ATTR_RULELIST, r);
+
+ if (!(nft_ruleset_attr_is_set(rs, NFT_RULESET_ATTR_TABLELIST)) &&
+ !(nft_ruleset_attr_is_set(rs, NFT_RULESET_ATTR_CHAINLIST)) &&
+ !(nft_ruleset_attr_is_set(rs, NFT_RULESET_ATTR_SETLIST)) &&
+ !(nft_ruleset_attr_is_set(rs, NFT_RULESET_ATTR_RULELIST)))
+ goto out;
+
+ return rs;
+out:
+ nft_ruleset_free(rs);
+ return NULL;
+}
#include <fcntl.h>
#include <errno.h>
#include <libmnl/libmnl.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
#include <libnftnl/table.h>
#include <libnftnl/chain.h>
#include <libnftnl/expr.h>
#include <libnftnl/set.h>
#include <linux/netfilter/nf_tables.h>
+#include <linux/netfilter.h>
#include <nftables.h>
#include <netlink.h>
{
return mnl_batch_talk(nf_sock, err_list);
}
+
+struct nft_ruleset *netlink_dump_ruleset(struct netlink_ctx *ctx,
+ const struct handle *h,
+ const struct location *loc)
+{
+ struct nft_ruleset *rs;
+
+ rs = mnl_nft_ruleset_dump(nf_sock, h->family);
+ if (rs == NULL)
+ netlink_io_error(ctx, loc, "Could not receive ruleset: %s",
+ strerror(errno));
+
+ return rs;
+}
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <libnftnl/common.h>
#include <rule.h>
#include <statement.h>
%token FLUSH "flush"
%token RENAME "rename"
%token DESCRIBE "describe"
+%token EXPORT "export"
%token ACCEPT "accept"
%token DROP "drop"
%token POSITION "position"
+%token XML "xml"
+%token JSON "json"
+
%type <string> identifier string
%destructor { xfree($$); } identifier string
%type <cmd> line
%destructor { cmd_free($$); } line
-%type <cmd> base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd
-%destructor { cmd_free($$); } base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd
+%type <cmd> base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd
+%destructor { cmd_free($$); } base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd
%type <handle> table_spec tables_spec chain_spec chain_identifier ruleid_spec
%destructor { handle_free(&$$); } table_spec tables_spec chain_spec chain_identifier ruleid_spec
%destructor { expr_free($$); } ct_expr
%type <val> ct_key
+%type <val> export_format
+
%%
input : /* empty */
| LIST list_cmd { $$ = $2; }
| FLUSH flush_cmd { $$ = $2; }
| RENAME rename_cmd { $$ = $2; }
+ | EXPORT export_cmd { $$ = $2; }
| DESCRIBE primary_expr
{
expr_describe($2);
}
;
+export_cmd : export_format
+ {
+ struct handle h = { .family = NFPROTO_UNSPEC };
+ $$ = cmd_alloc(CMD_EXPORT, CMD_OBJ_RULESET, &h, &@$, NULL);
+ $$->format = $1;
+ }
+ ;
+
table_block_alloc : /* empty */
{
$$ = table_alloc();
| CHECKSUM { $$ = MHHDR_CHECKSUM; }
;
+export_format : XML { $$ = NFT_OUTPUT_XML; }
+ | JSON { $$ = NFT_OUTPUT_JSON; }
+ ;
%%
#include <statement.h>
#include <rule.h>
#include <utils.h>
+#include <netlink.h>
+#include <libnftnl/common.h>
+#include <libnftnl/ruleset.h>
#include <netinet/ip.h>
#include <linux/netfilter.h>
#include <linux/netfilter_arp.h>
return 0;
}
+static int do_command_export(struct netlink_ctx *ctx, struct cmd *cmd)
+{
+ struct nft_ruleset *rs = netlink_dump_ruleset(ctx, &cmd->handle,
+ &cmd->location);
+
+ if (rs == NULL)
+ return -1;
+
+ nft_ruleset_fprintf(stdout, rs, cmd->format, 0);
+ fprintf(stdout, "\n");
+
+ nft_ruleset_free(rs);
+ return 0;
+}
+
static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
{
struct table *table = NULL;
return do_command_flush(ctx, cmd);
case CMD_RENAME:
return do_command_rename(ctx, cmd);
+ case CMD_EXPORT:
+ return do_command_export(ctx, cmd);
default:
BUG("invalid command object type %u\n", cmd->obj);
}
"list" { return LIST; }
"flush" { return FLUSH; }
"rename" { return RENAME; }
+"export" { return EXPORT; }
"position" { return POSITION; }
"proto-src" { return PROTO_SRC; }
"proto-dst" { return PROTO_DST; }
+"xml" { return XML; }
+"json" { return JSON; }
+
{addrstring} {
yylval->string = xstrdup(yytext);
return STRING;
projects / thirdparty / nftables.git / commitdiff
