libnftnl 1.2.6
nft-rule-del.c
1/*
2 * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
8 *
9 * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
10 */
11
12#include <stdlib.h>
13#include <time.h>
14#include <string.h>
15#include <stddef.h> /* for offsetof */
16#include <netinet/in.h>
17
18#include <linux/netfilter.h>
19#include <linux/netfilter/nf_tables.h>
20#include <linux/netfilter/nfnetlink.h>
21
22#include <libmnl/libmnl.h>
23#include <libnftnl/rule.h>
24
25int main(int argc, char *argv[])
26{
27 struct mnl_socket *nl;
28 char buf[MNL_SOCKET_BUFFER_SIZE];
29 struct nlmsghdr *nlh;
30 struct mnl_nlmsg_batch *batch;
31 uint32_t portid, seq;
32 struct nftnl_rule *r = NULL;
33 int ret, family;
34
35 if (argc < 4 || argc > 5) {
36 fprintf(stderr, "Usage: %s <family> <table> <chain> [<handle>]\n",
37 argv[0]);
38 exit(EXIT_FAILURE);
39 }
40
41 r = nftnl_rule_alloc();
42 if (r == NULL) {
43 perror("OOM");
44 exit(EXIT_FAILURE);
45 }
46
47 if (strcmp(argv[1], "ip") == 0)
48 family = NFPROTO_IPV4;
49 else if (strcmp(argv[1], "ip6") == 0)
50 family = NFPROTO_IPV6;
51 else if (strcmp(argv[1], "inet") == 0)
52 family = NFPROTO_INET;
53 else if (strcmp(argv[1], "bridge") == 0)
54 family = NFPROTO_BRIDGE;
55 else if (strcmp(argv[1], "arp") == 0)
56 family = NFPROTO_ARP;
57 else {
58 fprintf(stderr, "Unknown family: ip, ip6, inet, bridge, arp\n");
59 exit(EXIT_FAILURE);
60 }
61
62 seq = time(NULL);
63 nftnl_rule_set_str(r, NFTNL_RULE_TABLE, argv[2]);
64 nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, argv[3]);
65
66 /* If no handle is specified, delete all rules in the chain */
67 if (argc == 5)
68 nftnl_rule_set_u64(r, NFTNL_RULE_HANDLE, atoi(argv[4]));
69
70 batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
71
72 nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
73 mnl_nlmsg_batch_next(batch);
74
75 nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
76 NFT_MSG_DELRULE, family, NLM_F_ACK, seq++);
77 nftnl_rule_nlmsg_build_payload(nlh, r);
78 nftnl_rule_free(r);
79 mnl_nlmsg_batch_next(batch);
80
81 nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
82 mnl_nlmsg_batch_next(batch);
83
84 nl = mnl_socket_open(NETLINK_NETFILTER);
85 if (nl == NULL) {
86 perror("mnl_socket_open");
87 exit(EXIT_FAILURE);
88 }
89
90 if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
91 perror("mnl_socket_bind");
92 exit(EXIT_FAILURE);
93 }
94 portid = mnl_socket_get_portid(nl);
95
96 if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
97 mnl_nlmsg_batch_size(batch)) < 0) {
98 perror("mnl_socket_send");
99 exit(EXIT_FAILURE);
100 }
101
102 mnl_nlmsg_batch_stop(batch);
103
104 ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
105 while (ret > 0) {
106 ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL);
107 if (ret <= 0)
108 break;
109 ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
110 }
111 if (ret == -1) {
112 perror("error");
113 exit(EXIT_FAILURE);
114 }
115 mnl_socket_close(nl);
116
117 return EXIT_SUCCESS;
118}