libbpfilter

Defines

bf_list

Functions

const char *bf_version(void)

Return the version of the library.

Returns:

Version of the library, as a string.

int bf_cli_ruleset_flush(void)

Request the daemon to remove all the chains and rules.

Returns:

0 on success, or a negative errno value on error.

int bf_cli_ruleset_get(void *chains, void *hookopts, void *counters)

Request the daemon to return all the chains and all of the associated rules.

Parameters:

  • chains – List of bf_chain type to be filled.

  • hookopts – List of hook options objects.

  • counters – List of bf_counter type to be filled.

Returns:

0 on success, or a negative errno value on error.

int bf_cli_ruleset_set(void *chains, void *hookopts)

Load a complete ruleset.

The daemon will flush the whole ruleset for BF_FRONT_CLI and install the chains defined in the provided lists instead.

hookopts should contain as many elements as chains, so they can be mapped 1 to 1. If a chain shouldn’t be attached, they the corresponding entry in hookopts should be NULL.

Parameters:

  • chains – List of chains to define. Can’t be NULL.

  • hookopts – List of hook options to attach the chains in chain. Can’t be NULL.

Returns:

0 on success, or a negative errno value on error.

int bf_chain_set(struct bf_chain *chain, struct bf_hookopts *hookopts)

Set a chain.

If a chain with the same name already exist, it is detached and unloaded. The new chain is loaded, and attached if hook options are defined.

The serialized data is formatted as:

  • Main marsh

    • Chain marsh: contains bf_chain fields.

    • Hook marsh: contains bf_hookopts fields, or empty is the chain is not attached

Parameters:

  • chain – Chain to set. Can’t be NULL.

  • hookopts – Hook options to attach the chain. If NULL, the chain is not attached.

Returns:

0 on success, or a negative errno value on failure.

int bf_chain_get(const char *name, struct bf_chain **chain, struct bf_hookopts **hookopts, void *counters)

Get a chain.

If a chain with the same name already exist, -EEXIST is returned.

The serialized data is formatted as:

  • Main marsh

    • Marsh for the chain’s name (including \0).

Expects the following data:

  • Main mash

    • Chain marsh: container bf_chain fields.

    • Hook options marsh: contains bf_hookopts fields, or empty is the chain is not attached.

    • List marsh: contains marshes for the counters

      • Counter marsh: contains bf_counter fields.

Parameters:

  • name – Name of the chain to look for. Can’t be NULL.

  • chain – On success, contains a pointer to the chain. The caller is responsible for freeing it. Can’t be NULL.

  • hookopts – On success, contains a pointer to the chain’s hook options if the chain is attached, NULL otherwise. The caller is responsible for freeing it. Can’t be NULL.

  • counters – On success, the list contain the counters for every rule of the chain, and the policy and error counters. The caller is responsible for freeing it. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure, including:

  • -ENOENT: no chain found for this name.

int bf_chain_load(struct bf_chain *chain)

Load a chain.

If a chain with the same name already exist, -EEXIST is returned.

The serialized data is formatted as:

  • Main marsh

    • Chain marsh: contains bf_chain fields.

Parameters:

  • chain – Chain to load. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure.

int bf_chain_attach(const char *name, const struct bf_hookopts *hookopts)

Attach a chain.

If the chain doesn’t exist, -ENOENT is returned.

The serialized data is formatted as:

  • Main marsh

    • Marsh for the chain’s name (including \0).

    • Hook options marsh: contains bf_hookopts fields.

Parameters:

  • name – Name of the chain to attach. Can’t be NULL.

  • hookopts – Hook options to attach the chain. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure, including:

  • -ENOENT: no chain found for this name.

  • -EBUSY: chain is already attached.

int bf_chain_update(const struct bf_chain *chain)

Update an attached chain.

The chain to update must exist and be attached to a hook.

The serialized data is formatted as:

  • Main marsh

    • Chain marsh: container bf_chain fields.

Parameters:

  • chain – Chain to update. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure, including:

  • -ENOENT: no chain found for this name.

  • -ENOLINK: the chain to update is not attached.

int bf_chain_flush(const char *name)

Flush a chain (detach and unload).

The serialized data is formatted as:

  • Main marsh

    • Marsh for the chain’s name (including \0).

Parameters:

  • name – Name of the chain to flush. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure, including:

  • -ENOENT: no chain found for this name.

int bf_ipt_replace(struct ipt_replace *ipt_replace)

Send iptable’s ipt_replace data to bpfilter daemon.

Parameters:

  • ipt_replace – ipt_replace data to send to the daemon. Can’t be NULL. Data returned by the daemon will be stored in the same structure.

Returns:

0 on success, negative errno value on error.

int bf_ipt_add_counters(struct xt_counters_info *counters)

Send iptable’s xt_counters_info data to bpfilter daemon.

Parameters:

  • counters – xt_counters_info data to send to the daemon. Can’t be NULL. Data returned by the daemon will be stored in the same structure.

Returns:

0 on success, negative errno value on error.

int bf_ipt_get_info(struct ipt_getinfo *info)

Send iptable’s ipt_getinfo data to bpfilter daemon.

Parameters:

  • info – ipt_getinfo data to send to the daemon. Can’t be NULL. Data returned by the daemon will be stored in the same structure.

Returns:

0 on success, negative errno value on error.

int bf_ipt_get_entries(struct ipt_get_entries *entries)

Send iptable’s ipt_get_entries data to bpfilter daemon.

Parameters:

  • entries – ipt_get_entries data to send to the daemon. Can’t be NULL. Data returned by the daemon will be stored in the same structure.

Returns:

0 on success, negative errno value on error.

int bf_nft_send(const void *data, size_t len)

Send nftable’s Netlink request to the bpfilter daemon but do not expect a response.

Parameters:

  • data – Netlink data to send to the daemon. Can’t be NULL.

  • len – Length of the request. Can’t be 0.

Returns:

0 on success, or negative errno value on error. Returns an error if data is NULL or len is 0.

int bf_nft_sendrecv(const struct nlmsghdr *req, size_t req_len, struct nlmsghdr *res, size_t *res_len)

Send nftable’s Netlink request to the bpfilter daemon and write the response back.

res and res_len won’t be modified unless the call is successful.

Parameters:

  • req – Netlink request to send to the daemon. The caller retain ownership of the request. Can’t be NULL.

  • req_len – Length of the request. Can’t be 0.

  • res – Buffer to store the response. Can’t be NULL. Must be allocated by the caller.

  • res_len – Size of the response buffer. If the call is successful, res_len will be updated to the length of the response. If the data received from the daemon is larger than the buffer, the function will return -EMSGSIZE and res_len will be updated to the size of the response.

Returns:

0 on success, or negative errno value on error.