examples: table: add example of dormant tables

Now we add a non-dormant table which is not active. We can add
chains and rules to it that would not have any effect. Once we
change the flag to wake it up, the rule-set becomes active.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/examples/Makefile.am b/examples/Makefile.am
index 9b9e345196bf06ae01aa78956608b1ba289f155e..aee95df43bbe79a98c5a4a8ad15e6929c4ff63fe 100644 (file)
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -1,6 +1,7 @@
 include $(top_srcdir)/Make_global.am
 
 check_PROGRAMS = nft-table-add         \
+                nft-table-upd          \
                 nft-table-del          \
                 nft-table-get          \
                 nft-chain-add          \
@@ -15,6 +16,9 @@ check_PROGRAMS = nft-table-add                \
 nft_table_add_SOURCES = nft-table-add.c
 nft_table_add_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 
+nft_table_upd_SOURCES = nft-table-upd.c
+nft_table_upd_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
+
 nft_table_del_SOURCES = nft-table-del.c
 nft_table_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS}
 

diff --git a/examples/nft-table-upd.c b/examples/nft-table-upd.c
new file mode 100644 (file)
index 0000000..6b938bf
--- /dev/null
+++ b/examples/nft-table-upd.c
@@ -0,0 +1,102 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
+ */
+
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#include <linux/netfilter/nf_tables.h>
+
+#include <libmnl/libmnl.h>
+#include <libnftables/table.h>
+
+int main(int argc, char *argv[])
+{
+       struct mnl_socket *nl;
+       char buf[MNL_SOCKET_BUFFER_SIZE];
+       struct nlmsghdr *nlh;
+       uint32_t portid, seq, family, flags;
+       struct nft_table *t = NULL;
+       int ret;
+
+       if (argc != 4) {
+               fprintf(stderr, "%s <family> <name> <state>\n", argv[0]);
+               exit(EXIT_FAILURE);
+       }
+
+       t = nft_table_alloc();
+       if (t == NULL) {
+               perror("OOM");
+               exit(EXIT_FAILURE);
+       }
+
+       seq = time(NULL);
+       if (strcmp(argv[1], "ip") == 0)
+               family = AF_INET;
+       else if (strcmp(argv[1], "ip6") == 0)
+               family = AF_INET6;
+       else if (strcmp(argv[1], "bridge") == 0)
+               family = AF_BRIDGE;
+       else {
+               fprintf(stderr, "Unknown family: ip, ip6, bridge\n");
+               exit(EXIT_FAILURE);
+       }
+
+       if (strcmp(argv[3], "active") == 0)
+               flags = 0;
+       else if (strcmp(argv[3], "dormant") == 0)
+               flags = NFT_TABLE_F_DORMANT;
+       else {
+               fprintf(stderr, "Unknown state: active, dormant\n");
+               exit(EXIT_FAILURE);
+       }
+
+       nft_table_attr_set(t, NFT_TABLE_ATTR_NAME, argv[2]);
+       nft_table_attr_set_u32(t, NFT_TABLE_ATTR_FLAGS, flags);
+
+       nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, family,
+                                       NLM_F_ACK, seq);
+       nft_table_nlmsg_build_payload(nlh, t);
+       nft_table_free(t);
+
+       nl = mnl_socket_open(NETLINK_NETFILTER);
+       if (nl == NULL) {
+               perror("mnl_socket_open");
+               exit(EXIT_FAILURE);
+       }
+
+       if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+               perror("mnl_socket_bind");
+               exit(EXIT_FAILURE);
+       }
+       portid = mnl_socket_get_portid(nl);
+
+       if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+               perror("mnl_socket_send");
+               exit(EXIT_FAILURE);
+       }
+
+       ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+       while (ret > 0) {
+               ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+               if (ret <= 0)
+                       break;
+               ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+       }
+       if (ret == -1) {
+               perror("error");
+               exit(EXIT_FAILURE);
+       }
+       mnl_socket_close(nl);
+
+       return EXIT_SUCCESS;
+}

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8cd19c8e09ab90934f89b6a944b8884ddda727e2..28aa0ee720299f49edf0e91db0b11ad75d6333c7 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -55,6 +55,15 @@ enum nft_hook_attributes {
 };
 #define NFTA_HOOK_MAX          (__NFTA_HOOK_MAX - 1)
 
+/**
+ * enum nft_table_flags - nf_tables table flags
+ *
+ * @NFT_TABLE_F_DORMANT: this table is not active
+ */
+enum nft_table_flags {
+       NFT_TABLE_F_DORMANT     = 0x1,
+};
+
 enum nft_table_attributes {
        NFTA_TABLE_UNSPEC,
        NFTA_TABLE_NAME,