Arne Zachlod <arne@xxxxxxxxxxxxxx> wrote:
> I'm porting a program (written in C) that currently uses iptables to
> nftables, trying to not change a lot of the internal concept of said
> program.
> The program currently uses execute() calls and calls iptables directly via
> these. I wanted to at least use libnftables, and everything seems to works
> quite well, I just have a problem with deleting rules.
> I read through the code of libnftables, but I couldn't find a way to get the
> handle of a rule I added. In iptables, this is no problem, you just give the
> rule again to delete it. In libnftables though I need the handle. Currently,
> I'm looking into libnftables-json, but I would prefer not to use it just to
> get the handles. Is there a better way of deleting a rule than parsing the
> JSON for them? Maybe even with libnftables directly?
Depends, if you can remember which rule has which handle assigned then
this would work, modified add example:
+++ a/examples/nft-buffer.c
+++ b/examples/nft-buffer.c
@@ -11,6 +11,8 @@ const char ruleset[] =
int main(void)
{
struct nft_ctx *ctx;
+ char buf[8192];
+ FILE *fp;
int err;
ctx = nft_ctx_new(0);
@@ -19,16 +21,20 @@ int main(void)
return EXIT_FAILURE;
}
+ nft_ctx_output_set_flags(ctx, NFT_CTX_OUTPUT_ECHO | NFT_CTX_OUTPUT_HANDLE);
+
+ buf[0] = 0;
+ fp = fmemopen(buf, sizeof(buf), "w+");
+ nft_ctx_set_output(ctx, fp);
+
/* create ruleset: all commands in the buffer are atomically applied */
err = nft_run_cmd_from_buffer(ctx, ruleset);
if (err < 0)
fprintf(stderr, "failed to run nftables command\n");
- err = nft_run_cmd_from_buffer(ctx, "list ruleset");
- if (err < 0)
- fprintf(stderr, "failed to run nftables command\n");
-
nft_ctx_free(ctx);
+ fclose(fp);
+ fprintf(stderr, "res is %s\n", buf);
return EXIT_SUCCESS;
}
NFT_CTX_OUTPUT_ECHO makes kernel dump the just-added-rule(s) back and
NFT_CTX_OUTPUT_HANDLE tells nft to postfix each line with '# handle %u'.
