linux/include/net/netfilter
Pablo Neira Ayuso 6001a930ce netfilter: nftables: introduce table ownership
A userspace daemon like firewalld might need to monitor for netlink
updates to detect its ruleset removal by the (global) flush ruleset
command to ensure ruleset persistency. This adds extra complexity from
userspace and, for some little time, the firewall policy is not in
place.

This patch adds the NFT_TABLE_F_OWNER flag which allows a userspace
program to own the table that creates in exclusivity.

Tables that are owned...

- can only be updated and removed by the owner, non-owners hit EPERM if
  they try to update it or remove it.
- are destroyed when the owner closes the netlink socket or the process
  is gone (implicit netlink socket closure).
- are skipped by the global flush ruleset command.
- are listed in the global ruleset.

The userspace process that sets on the NFT_TABLE_F_OWNER flag need to
leave open the netlink socket.

A new NFTA_TABLE_OWNER netlink attribute specifies the netlink port ID
to identify the owner from userspace.

This patch also updates error reporting when an unknown table flag is
specified to change it from EINVAL to EOPNOTSUPP given that EINVAL is
usually reserved to report for malformed netlink messages to userspace.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2021-02-15 18:17:15 +01:00
..
ipv4 netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00
ipv6 netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00
br_netfilter.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_conntrack.h A set of locking fixes and updates: 2020-08-10 19:07:44 -07:00
nf_conntrack_acct.h netfilter: conntrack: add nf_ct_acct_add() 2020-03-30 02:05:39 +02:00
nf_conntrack_bridge.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_conntrack_core.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_conntrack_count.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
nf_conntrack_ecache.h netfilter: conntrack: use consistent style when defining inline functions 2019-09-13 12:46:25 +02:00
nf_conntrack_expect.h netfilter: fix coding-style errors. 2019-09-13 11:39:38 +02:00
nf_conntrack_extend.h netfilter: Replace zero-length array with flexible-array member 2020-03-15 15:20:16 +01:00
nf_conntrack_helper.h treewide: Use sizeof_field() macro 2019-12-09 10:36:44 -08:00
nf_conntrack_l4proto.h netfilter: ctnetlink: add timeout and protoinfo to destroy events 2020-12-12 11:44:42 +01:00
nf_conntrack_labels.h netfilter: fix include guards. 2019-09-13 11:39:38 +02:00
nf_conntrack_seqadj.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_conntrack_synproxy.h netfilter: conntrack: wrap two inline functions in config checks. 2019-09-13 12:47:10 +02:00
nf_conntrack_timeout.h netfilter: Replace zero-length array with flexible-array member 2020-03-15 15:20:16 +01:00
nf_conntrack_timestamp.h netfilter: conntrack: remove two unused functions from nf_conntrack_timestamp.h. 2019-09-13 12:48:09 +02:00
nf_conntrack_tuple.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_conntrack_zones.h netfilter: conntrack: remove CONFIG_NF_CONNTRACK checks from nf_conntrack_zones.h. 2019-09-13 12:47:41 +02:00
nf_dup_netdev.h netfilter: nft_{fwd,dup}_netdev: add offload support 2019-09-10 22:44:29 +02:00
nf_flow_table.h netfilter: flowtable: add hash offset field to tuple 2021-01-26 01:10:07 +01:00
nf_log.h netfilter: nf_log: missing vlan offload tag and proto 2020-10-14 01:25:14 +02:00
nf_nat.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_nat_helper.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
nf_nat_masquerade.h netfilter: update include directives. 2019-09-13 12:33:06 +02:00
nf_nat_redirect.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
nf_queue.h netfilter: nf_queue: place bridge physports into queue_entry struct 2020-03-29 16:28:29 +02:00
nf_reject.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
nf_socket.h netfilter: Decrease code duplication regarding transparent socket option 2018-06-03 00:02:01 +02:00
nf_synproxy.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_tables.h netfilter: nftables: introduce table ownership 2021-02-15 18:17:15 +01:00
nf_tables_core.h netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nf_tables_ipv4.h netfilter: nf_tables: add inet ingress support 2020-10-12 01:57:34 +02:00
nf_tables_ipv6.h netfilter: nf_tables: add inet ingress support 2020-10-12 01:57:34 +02:00
nf_tables_offload.h netfilter: nftables_offload: build mask based from the matching bytes 2020-11-27 12:10:47 +01:00
nf_tproxy.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-07-20 22:28:28 -07:00
nft_fib.h netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_meta.h netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_reject.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
xt_rateest.h netfilter: make xt_rateest hash table per net 2018-03-05 23:15:44 +01:00