libnftnl 1.2.9
nft-rule-ct-timeout-add.c
1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/*
3 * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
4 *
5 * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
6 */
7
8#include <stdlib.h>
9#include <time.h>
10#include <string.h>
11#include <stddef.h> /* for offsetof */
12#include <netinet/in.h>
13#include <netinet/ip.h>
14#include <netinet/tcp.h>
15#include <arpa/inet.h>
16#include <sys/types.h>
17#include <sys/socket.h>
18#include <errno.h>
19
20#include <linux/netfilter.h>
21#include <linux/netfilter/nfnetlink.h>
22#include <linux/netfilter/nf_tables.h>
23
24#include <libmnl/libmnl.h>
25#include <libnftnl/rule.h>
26#include <libnftnl/expr.h>
27
28static void add_ct_timeout(struct nftnl_rule *r, const char *obj_name)
29{
30 struct nftnl_expr *e;
31
32 e = nftnl_expr_alloc("objref");
33 if (e == NULL) {
34 perror("expr objref oom");
35 exit(EXIT_FAILURE);
36 }
37 nftnl_expr_set_str(e, NFTNL_EXPR_OBJREF_IMM_NAME, obj_name);
38 nftnl_expr_set_u32(e, NFTNL_EXPR_OBJREF_IMM_TYPE, NFT_OBJECT_CT_TIMEOUT);
39
40 nftnl_rule_add_expr(r, e);
41}
42
43static struct nftnl_rule *setup_rule(uint8_t family, const char *table,
44 const char *chain, const char *handle, const char *obj_name)
45{
46 struct nftnl_rule *r = NULL;
47 uint64_t handle_num;
48
49 r = nftnl_rule_alloc();
50 if (r == NULL) {
51 perror("OOM");
52 exit(EXIT_FAILURE);
53 }
54
55 nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table);
56 nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain);
57 nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family);
58
59 if (handle != NULL) {
60 handle_num = atoll(handle);
61 nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num);
62 }
63
64 add_ct_timeout(r, obj_name);
65
66 return r;
67}
68
69int main(int argc, char *argv[])
70{
71 struct mnl_socket *nl;
72 struct nftnl_rule *r;
73 struct nlmsghdr *nlh;
74 struct mnl_nlmsg_batch *batch;
75 uint8_t family;
76 char buf[MNL_SOCKET_BUFFER_SIZE];
77 uint32_t seq = time(NULL);
78 int ret;
79
80 if (argc < 5 || argc > 6) {
81 fprintf(stderr, "Usage: %s <family> <table> <chain> <name>\n", argv[0]);
82 exit(EXIT_FAILURE);
83 }
84 if (strcmp(argv[1], "ip") == 0)
85 family = NFPROTO_IPV4;
86 else if (strcmp(argv[1], "ip6") == 0)
87 family = NFPROTO_IPV6;
88 else if (strcmp(argv[1], "inet") == 0)
89 family = NFPROTO_INET;
90 else {
91 fprintf(stderr, "Unknown family: ip, ip6, inet\n");
92 exit(EXIT_FAILURE);
93 }
94
95 if (argc != 6)
96 r = setup_rule(family, argv[2], argv[3], NULL, argv[4]);
97 else
98 r = setup_rule(family, argv[2], argv[3], argv[4], argv[5]);
99
100 nl = mnl_socket_open(NETLINK_NETFILTER);
101 if (nl == NULL) {
102 perror("mnl_socket_open");
103 exit(EXIT_FAILURE);
104 }
105
106 if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
107 perror("mnl_socket_bind");
108 exit(EXIT_FAILURE);
109 }
110
111 batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
112
113 nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
114 mnl_nlmsg_batch_next(batch);
115
116 nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
117 NFT_MSG_NEWRULE,
118 nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY),
119 NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK,
120 seq++);
121 nftnl_rule_nlmsg_build_payload(nlh, r);
122 nftnl_rule_free(r);
123 mnl_nlmsg_batch_next(batch);
124
125 nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
126 mnl_nlmsg_batch_next(batch);
127
128 ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
129 mnl_nlmsg_batch_size(batch));
130 if (ret == -1) {
131 perror("mnl_socket_sendto");
132 exit(EXIT_FAILURE);
133 }
134
135 mnl_nlmsg_batch_stop(batch);
136
137 ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
138 if (ret == -1) {
139 perror("mnl_socket_recvfrom");
140 exit(EXIT_FAILURE);
141 }
142
143 ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL);
144 if (ret < 0) {
145 perror("mnl_cb_run");
146 exit(EXIT_FAILURE);
147 }
148
149 mnl_socket_close(nl);
150
151 return EXIT_SUCCESS;
152}