libnftnl  1.2.9
nft-rule-ct-helper-add.c
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /*
3  * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
4  *
5  * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
6  */
7 
8 #include <stdlib.h>
9 #include <time.h>
10 #include <string.h>
11 #include <stddef.h> /* for offsetof */
12 #include <netinet/in.h>
13 #include <netinet/ip.h>
14 #include <netinet/tcp.h>
15 #include <arpa/inet.h>
16 #include <sys/types.h>
17 #include <sys/socket.h>
18 #include <errno.h>
19 
20 #include <linux/netfilter.h>
21 #include <linux/netfilter/nfnetlink.h>
22 #include <linux/netfilter/nf_tables.h>
23 
24 #include <libmnl/libmnl.h>
25 #include <libnftnl/rule.h>
26 #include <libnftnl/expr.h>
27 
28 static void add_ct_helper(struct nftnl_rule *r, const char *obj_name)
29 {
30  struct nftnl_expr *e;
31 
32  e = nftnl_expr_alloc("objref");
33  if (e == NULL) {
34  perror("expr objref oom");
35  exit(EXIT_FAILURE);
36  }
37  nftnl_expr_set_str(e, NFTNL_EXPR_OBJREF_IMM_NAME, obj_name);
38  nftnl_expr_set_u32(e, NFTNL_EXPR_OBJREF_IMM_TYPE, 3);
39 
40  nftnl_rule_add_expr(r, e);
41 }
42 
43 static struct nftnl_rule *setup_rule(uint8_t family, const char *table,
44  const char *chain, const char *handle, const char *obj_name)
45 {
46  struct nftnl_rule *r = NULL;
47  uint64_t handle_num;
48 
49  r = nftnl_rule_alloc();
50  if (r == NULL) {
51  perror("OOM");
52  exit(EXIT_FAILURE);
53  }
54 
55  nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table);
56  nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain);
57  nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family);
58 
59  if (handle != NULL) {
60  handle_num = atoll(handle);
61  nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num);
62  }
63 
64  add_ct_helper(r, obj_name);
65 
66  return r;
67 }
68 
69 int main(int argc, char *argv[])
70 {
71  struct mnl_socket *nl;
72  struct nftnl_rule *r;
73  struct nlmsghdr *nlh;
74  struct mnl_nlmsg_batch *batch;
75  uint8_t family;
76  char buf[MNL_SOCKET_BUFFER_SIZE];
77  uint32_t seq = time(NULL);
78  int ret;
79 
80  if (argc < 5 || argc > 6) {
81  fprintf(stderr, "Usage: %s <family> <table> <chain> <name>\n", argv[0]);
82  exit(EXIT_FAILURE);
83  }
84  if (strcmp(argv[1], "ip") == 0)
85  family = NFPROTO_IPV4;
86  else if (strcmp(argv[1], "ip6") == 0)
87  family = NFPROTO_IPV6;
88  else if (strcmp(argv[1], "inet") == 0)
89  family = NFPROTO_INET;
90  else {
91  fprintf(stderr, "Unknown family: ip, ip6, inet\n");
92  exit(EXIT_FAILURE);
93  }
94 
95  if (argc != 6)
96  r = setup_rule(family, argv[2], argv[3], NULL, argv[4]);
97  else
98  r = setup_rule(family, argv[2], argv[3], argv[4], argv[5]);
99 
100  nl = mnl_socket_open(NETLINK_NETFILTER);
101  if (nl == NULL) {
102  perror("mnl_socket_open");
103  exit(EXIT_FAILURE);
104  }
105 
106  if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
107  perror("mnl_socket_bind");
108  exit(EXIT_FAILURE);
109  }
110 
111  batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
112 
113  nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
114  mnl_nlmsg_batch_next(batch);
115 
116  nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
117  NFT_MSG_NEWRULE,
118  nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY),
119  NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK,
120  seq++);
121  nftnl_rule_nlmsg_build_payload(nlh, r);
122  nftnl_rule_free(r);
123  mnl_nlmsg_batch_next(batch);
124 
125  nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
126  mnl_nlmsg_batch_next(batch);
127 
128  ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
129  mnl_nlmsg_batch_size(batch));
130  if (ret == -1) {
131  perror("mnl_socket_sendto");
132  exit(EXIT_FAILURE);
133  }
134 
135  mnl_nlmsg_batch_stop(batch);
136 
137  ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
138  if (ret == -1) {
139  perror("mnl_socket_recvfrom");
140  exit(EXIT_FAILURE);
141  }
142 
143  ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL);
144  if (ret < 0) {
145  perror("mnl_cb_run");
146  exit(EXIT_FAILURE);
147  }
148 
149  mnl_socket_close(nl);
150 
151  return EXIT_SUCCESS;
152 }