libnftnl 1.2.6
nft-ct-timeout-add.c
1/*
2 * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
8 */
9
10#include <stdlib.h>
11#include <time.h>
12#include <string.h>
13#include <netinet/in.h>
14
15#include <linux/netfilter.h>
16#include <linux/netfilter/nf_tables.h>
17
18#include <obj.h>
19#include <libmnl/libmnl.h>
20#include <libnftnl/object.h>
21
22static struct nftnl_obj *obj_add_parse(int argc, char *argv[])
23{
24 size_t timeout_array_size;
25 struct nftnl_obj *t;
26 uint32_t *timeout;
27 uint16_t family;
28 uint8_t l4proto;
29
30 if (strcmp(argv[1], "ip") == 0)
31 family = NFPROTO_IPV4;
32 else if (strcmp(argv[1], "ip6") == 0)
33 family = NFPROTO_IPV6;
34 else if (strcmp(argv[1], "inet") == 0)
35 family = NFPROTO_INET;
36 else if (strcmp(argv[1], "bridge") == 0)
37 family = NFPROTO_BRIDGE;
38 else if (strcmp(argv[1], "arp") == 0)
39 family = NFPROTO_ARP;
40 else {
41 fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n");
42 return NULL;
43 }
44
45 if (strcmp(argv[4], "udp") == 0)
46 l4proto = IPPROTO_UDP;
47 else if (strcmp(argv[4], "tcp") == 0)
48 l4proto = IPPROTO_TCP;
49 else {
50 fprintf(stderr, "Unknown layer 4 protocol\n");
51 return NULL;
52 }
53
54 t = nftnl_obj_alloc();
55 if (t == NULL) {
56 perror("OOM");
57 return NULL;
58 }
59
60 timeout_array_size = sizeof(uint32_t) * (NFTNL_CTTIMEOUT_TCP_MAX);
61 timeout = calloc(1, timeout_array_size);
62 if (timeout == NULL) {
63 perror("OOM");
64 return NULL;
65 }
66
67 timeout[NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = 111;
68 timeout[NFTNL_CTTIMEOUT_TCP_CLOSE] = 16;
69 timeout[NFTNL_CTTIMEOUT_TCP_CLOSE_WAIT] = 14;
70 nftnl_obj_set_u32(t, NFTNL_OBJ_FAMILY, family);
71 nftnl_obj_set_u32(t, NFTNL_OBJ_TYPE, NFT_OBJECT_CT_TIMEOUT);
72 nftnl_obj_set_str(t, NFTNL_OBJ_TABLE, argv[2]);
73 nftnl_obj_set_str(t, NFTNL_OBJ_NAME, argv[3]);
74 nftnl_obj_set_u8(t, NFTNL_OBJ_CT_TIMEOUT_L4PROTO, l4proto);
75 nftnl_obj_set_u16(t, NFTNL_OBJ_CT_TIMEOUT_L3PROTO, NFPROTO_IPV4);
76 nftnl_obj_set_data(t, NFTNL_OBJ_CT_TIMEOUT_ARRAY,
77 timeout, timeout_array_size);
78 return t;
79
80}
81
82int main(int argc, char *argv[])
83{
84 struct mnl_socket *nl;
85 char buf[MNL_SOCKET_BUFFER_SIZE];
86 struct nlmsghdr *nlh;
87 uint32_t portid, seq, obj_seq, family;
88 struct nftnl_obj *t;
89 struct mnl_nlmsg_batch *batch;
90 int ret;
91
92 if (argc != 5) {
93 fprintf(stderr, "%s <family> <table> <name> <protocol> \n", argv[0]);
94 exit(EXIT_FAILURE);
95 }
96
97 t = obj_add_parse(argc, argv);
98 if (t == NULL) {
99 exit(EXIT_FAILURE);
100 }
101
102 seq = time(NULL);
103 batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
104
105 nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
106 mnl_nlmsg_batch_next(batch);
107
108 obj_seq = seq;
109 family = nftnl_obj_get_u32(t, NFTNL_OBJ_FAMILY);
110 nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
111 NFT_MSG_NEWOBJ, family, NLM_F_ACK | NLM_F_CREATE, seq++);
112 nftnl_obj_nlmsg_build_payload(nlh, t);
113 nftnl_obj_free(t);
114 mnl_nlmsg_batch_next(batch);
115
116 nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
117 mnl_nlmsg_batch_next(batch);
118
119 nl = mnl_socket_open(NETLINK_NETFILTER);
120 if (nl == NULL) {
121 perror("mnl_socket_open");
122 exit(EXIT_FAILURE);
123 }
124
125 if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
126 perror("mnl_socket_bind");
127 exit(EXIT_FAILURE);
128 }
129 portid = mnl_socket_get_portid(nl);
130
131 if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
132 mnl_nlmsg_batch_size(batch)) < 0) {
133 perror("mnl_socket_send");
134 exit(EXIT_FAILURE);
135 }
136
137 mnl_nlmsg_batch_stop(batch);
138
139 ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
140 while (ret > 0) {
141 ret = mnl_cb_run(buf, ret, obj_seq, portid, NULL, NULL);
142 if (ret <= 0)
143 break;
144 ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
145 }
146 if (ret == -1) {
147 perror("error");
148 exit(EXIT_FAILURE);
149 }
150 mnl_socket_close(nl);
151
152 return EXIT_SUCCESS;
153}