Re: libnftables way of deleting a rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Arne Zachlod <arne@xxxxxxxxxxxxxx> wrote:
> I'm porting a program (written in C) that currently uses iptables to
> nftables, trying to not change a lot of the internal concept of said
> program.
> The program currently uses execute() calls and calls iptables directly via
> these. I wanted to at least use libnftables, and everything seems to works
> quite well, I just have a problem with deleting rules.
> I read through the code of libnftables, but I couldn't find a way to get the
> handle of a rule I added. In iptables, this is no problem, you just give the
> rule again to delete it. In libnftables though I need the handle. Currently,
> I'm looking into libnftables-json, but I would prefer not to use it just to
> get the handles. Is there a better way of deleting a rule than parsing the
> JSON for them? Maybe even with libnftables directly?

Depends, if you can remember which rule has which handle assigned then
this would work, modified add example:

+++ a/examples/nft-buffer.c
+++ b/examples/nft-buffer.c
@@ -11,6 +11,8 @@ const char ruleset[] =
 int main(void)
 {
        struct nft_ctx *ctx;
+       char buf[8192];
+       FILE *fp;
        int err;
 
        ctx = nft_ctx_new(0);
@@ -19,16 +21,20 @@ int main(void)
                return EXIT_FAILURE;
        }
 
+       nft_ctx_output_set_flags(ctx, NFT_CTX_OUTPUT_ECHO | NFT_CTX_OUTPUT_HANDLE);
+
+       buf[0] = 0;
+       fp = fmemopen(buf, sizeof(buf), "w+");
+       nft_ctx_set_output(ctx, fp);
+
        /* create ruleset: all commands in the buffer are atomically applied */
        err = nft_run_cmd_from_buffer(ctx, ruleset);
        if (err < 0)
                fprintf(stderr, "failed to run nftables command\n");
 
-       err = nft_run_cmd_from_buffer(ctx, "list ruleset");
-       if (err < 0)
-               fprintf(stderr, "failed to run nftables command\n");
-
        nft_ctx_free(ctx);
+       fclose(fp);
+       fprintf(stderr, "res is %s\n", buf);
 
        return EXIT_SUCCESS;
 }

NFT_CTX_OUTPUT_ECHO makes kernel dump the just-added-rule(s) back and
NFT_CTX_OUTPUT_HANDLE tells nft to postfix each line with '# handle %u'.






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux