static int rule_delete(struct firewall_handle *handle)
{
struct nftnl_rule *rule;
struct mnl_socket *nl;
int err;
DBG("");
rule = nftnl_rule_alloc();
if (!rule)
return -ENOMEM;
nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
nftnl_rule_set(rule, NFTNL_RULE_CHAIN, handle->chain);
nftnl_rule_set_u64(rule, NFTNL_RULE_HANDLE, handle->handle);
err = socket_open_and_bind(&nl);
if (err < 0) {
nftnl_rule_free(rule);
return err;
}
err = rule_cmd(nl, rule, NFT_MSG_DELRULE, NFPROTO_IPV4,
NLM_F_ACK, 0, NULL);
nftnl_rule_free(rule);
mnl_socket_close(nl);
return err;
}
static struct nftnl_rule *setup_rule(uint8_t family, const char *table,
const char *chain, const char *handle)
{
struct nftnl_rule *r = NULL;
uint8_t proto;
uint16_t dport;
uint64_t handle_num;
r = nftnl_rule_alloc();
if (r == NULL) {
perror("OOM");
exit(EXIT_FAILURE);
}
nftnl_rule_set(r, NFTNL_RULE_TABLE, table);
nftnl_rule_set(r, NFTNL_RULE_CHAIN, chain);
nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family);
if (handle != NULL) {
handle_num = atoll(handle);
nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num);
}
proto = IPPROTO_TCP;
add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1,
offsetof(struct iphdr, protocol), sizeof(uint8_t));
add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &proto, sizeof(uint8_t));
dport = htons(22);
add_payload(r, NFT_PAYLOAD_TRANSPORT_HEADER, NFT_REG_1,
offsetof(struct tcphdr, dest), sizeof(uint16_t));
add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &dport, sizeof(uint16_t));
add_counter(r);
return r;
}
