diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-11-03 11:12:45 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:20 +0100 |
| commit | 5b414b85c33912aec912d260502c8b0c0df794a1 (patch) | |
| tree | 81c91bc32ffeed25c520195e79abec08314da0d9 /iptables/nft.c | |
| parent | 42239cb39ecf7650fefb5cc301ab943be11de6fb (diff) | |
iptables: nft: move priority to chain instead of table
NAT table uses different chain priorities, adapt the existing
code to allow this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.c')
| -rw-r--r-- | iptables/nft.c | 77 |
1 files changed, 43 insertions, 34 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index c803ffef..0d07aa51 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -82,32 +82,6 @@ static int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, return 0; } -static int nft_table_builtin_add(struct nft_handle *h, const char *table) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct nlmsghdr *nlh; - struct nft_table *t; - int ret; - - t = nft_table_alloc(); - if (t == NULL) - return -1; - - nft_table_attr_set(t, NFT_TABLE_ATTR_NAME, (char *)table); - - nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, AF_INET, - NLM_F_ACK|NLM_F_EXCL, h->seq); - nft_table_nlmsg_build_payload(nlh, t); - nft_table_free(t); - - ret = mnl_talk(h, nlh, NULL, NULL); - if (ret < 0) { - if (errno != EEXIST) - perror("mnl-talk:nft_table_init_one"); - } - return ret; -} - #define FILTER 0 #define MANGLE 1 #define RAW 2 @@ -116,86 +90,95 @@ static int nft_table_builtin_add(struct nft_handle *h, const char *table) struct builtin_chain { const char *name; + uint32_t prio; uint32_t hook; }; static struct builtin_table { const char *name; - uint32_t prio; struct builtin_chain chains[NF_INET_NUMHOOKS]; } tables[TABLES_MAX] = { [RAW] = { .name = "raw", - .prio = -300, /* NF_IP_PRI_RAW */ .chains = { { .name = "PREROUTING", + .prio = -300, /* NF_IP_PRI_RAW */ .hook = NF_INET_PRE_ROUTING, }, { .name = "OUTPUT", + .prio = -300, /* NF_IP_PRI_RAW */ .hook = NF_INET_LOCAL_OUT, }, }, }, [MANGLE] = { .name = "mangle", - .prio = -150, /* NF_IP_PRI_MANGLE */ .chains = { { .name = "PREROUTING", + .prio = -150, /* NF_IP_PRI_MANGLE */ .hook = NF_INET_PRE_ROUTING, }, { .name = "INPUT", + .prio = -150, /* NF_IP_PRI_MANGLE */ .hook = NF_INET_LOCAL_IN, }, { .name = "FORWARD", + .prio = -150, /* NF_IP_PRI_MANGLE */ .hook = NF_INET_FORWARD, }, { .name = "OUTPUT", + .prio = -150, /* NF_IP_PRI_MANGLE */ .hook = NF_INET_LOCAL_OUT, }, { .name = "POSTROUTING", + .prio = -150, /* NF_IP_PRI_MANGLE */ .hook = NF_INET_POST_ROUTING, }, }, }, [FILTER] = { .name = "filter", - .prio = 0, /* NF_IP_PRI_FILTER */ .chains = { { .name = "INPUT", + .prio = 0, /* NF_IP_PRI_FILTER */ .hook = NF_INET_LOCAL_IN, }, { .name = "FORWARD", + .prio = 0, /* NF_IP_PRI_FILTER */ .hook = NF_INET_FORWARD, }, { .name = "OUTPUT", + .prio = 0, /* NF_IP_PRI_FILTER */ .hook = NF_INET_LOCAL_OUT, }, }, }, [SECURITY] = { .name = "security", - .prio = 150, /* NF_IP_PRI_SECURITY */ .chains = { { .name = "INPUT", + .prio = 150, /* NF_IP_PRI_SECURITY */ .hook = NF_INET_LOCAL_IN, }, { .name = "FORWARD", + .prio = 150, /* NF_IP_PRI_SECURITY */ .hook = NF_INET_FORWARD, }, { .name = "OUTPUT", + .prio = 150, /* NF_IP_PRI_SECURITY */ .hook = NF_INET_LOCAL_OUT, }, }, @@ -203,6 +186,32 @@ static struct builtin_table { /* nat already registered by nf_tables */ }; +static int nft_table_builtin_add(struct nft_handle *h, struct builtin_table *_t) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct nft_table *t; + int ret; + + t = nft_table_alloc(); + if (t == NULL) + return -1; + + nft_table_attr_set(t, NFT_TABLE_ATTR_NAME, (char *)_t->name); + + nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, AF_INET, + NLM_F_ACK|NLM_F_EXCL, h->seq); + nft_table_nlmsg_build_payload(nlh, t); + nft_table_free(t); + + ret = mnl_talk(h, nlh, NULL, NULL); + if (ret < 0) { + if (errno != EEXIST) + perror("mnl-talk:nft_table_init_one"); + } + return ret; +} + static struct nft_chain * nft_chain_builtin_alloc(struct builtin_table *table, struct builtin_chain *chain, int policy) @@ -216,7 +225,7 @@ nft_chain_builtin_alloc(struct builtin_table *table, nft_chain_attr_set(c, NFT_CHAIN_ATTR_TABLE, (char *)table->name); nft_chain_attr_set(c, NFT_CHAIN_ATTR_NAME, (char *)chain->name); nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_HOOKNUM, chain->hook); - nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_PRIO, table->prio); + nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_PRIO, chain->prio); nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_POLICY, policy); return c; @@ -312,7 +321,7 @@ nft_chain_builtin_init(struct nft_handle *h, const char *table, ret = -1; goto out; } - if (nft_table_builtin_add(h, table) < 0) { + if (nft_table_builtin_add(h, t) < 0) { /* Built-in table already initialized, skip. */ if (errno == EEXIST) goto out; @@ -394,7 +403,7 @@ __nft_chain_set(struct nft_handle *h, const char *table, _t = nft_table_builtin_find(table); /* if this built-in table does not exists, create it */ if (_t != NULL) - nft_table_builtin_add(h, table); + nft_table_builtin_add(h, _t); _c = nft_chain_builtin_find(_t, chain); if (_c != NULL) { |