diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-04 20:58:59 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-16 18:22:43 +0200 |
commit | 6c43069e5f2a55d769ec6d362bc863af906591d0 (patch) | |
tree | 24a979dfd7b04c5b57d2c02ffd996343325fdb60 /doc | |
parent | 1e743925a597055c82200540a7c8c3e2ec506878 (diff) |
src: add netdev family support
This patch adds support for the new 'netdev' table. So far, this table allows
you to create filter chains from ingress.
The following example shows a very simple base configuration with one table that
contains a basechain that is attached to the 'eth0':
# nft list table netdev filter
table netdev filter {
chain eth0-ingress {
type filter hook ingress device eth0 priority 0; policy accept;
}
}
You can test that this works by adding a simple rule with counters:
# nft add rule netdev filter eth0-ingress counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/nft.xml | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index 8d79016c..d51876cd 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -267,6 +267,14 @@ filter input iif $int_ifs accept </para> </listitem> </varlistentry> + <varlistentry> + <term><option>netdev</option></term> + <listitem> + <para> + Netdev address family, handling packets from ingress. + </para> + </listitem> + </varlistentry> </variablelist> </para> <para> @@ -373,6 +381,38 @@ filter input iif $int_ifs accept The bridge address family handles ethernet packets traversing bridge devices. </para> </refsect2> + <refsect2> + <title>Netdev address family</title> + <para> + The Netdev address family handles packets from ingress. + </para> + <para> + <table frame="all"> + <title>Netdev address family hooks</title> + <tgroup cols='2' align='left' colsep='1' rowsep='1' pgwide="1"> + <colspec colname='c1' colwidth="1*"/> + <colspec colname='c2' colwidth="5*"/> + <thead> + <row> + <entry>Hook</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>ingress</entry> + <entry> + All packets entering the system are processed by this hook. It is invoked + before layer 3 protocol handlers and it can be used for early filtering and + policing. + </entry> + </row> + </tbody> + </tgroup> + </table> + </para> + </refsect2> + </refsect1> <refsect1> @@ -401,6 +441,7 @@ filter input iif $int_ifs accept <member><literal>inet</literal></member> <member><literal>arp</literal></member> <member><literal>bridge</literal></member> + <member><literal>netdev</literal></member> </simplelist>. The <literal>inet</literal> address family is a dummy family which is used to create @@ -457,6 +498,7 @@ filter input iif $int_ifs accept <arg choice="req"><replaceable>hook</replaceable></arg> <arg choice="req"><replaceable>priority</replaceable></arg> <arg choice="req"><replaceable>policy</replaceable></arg> + <arg choice="req"><replaceable>device</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <group choice="req"> |