Update chain creation format.

type keyword is now mandatory when creating a new chain. This
patc halso implement the change required following the usage of human
notation in hook.

It also suppressed non currently supported mangle chains.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

7 files changed, 23 insertions, 19 deletions

diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter
index ca306d48..54779c4a 100644
--- a/files/nftables/bridge-filter
+++ b/files/nftables/bridge-filter
@@ -1,7 +1,7 @@
 #! nft -f
 
 table bridge filter {
-	chain input		{ hook NF_INET_LOCAL_IN		-200; }
-	chain forward		{ hook NF_INET_FORWARD		-200; }
-	chain output		{ hook NF_INET_LOCAL_OUT	200; }
+	chain input		{ type filter hook input priority -200; }
+	chain forward		{ type filter hook forward priority -200; }
+	chain output		{ type filter hook output priority 200; }
 }
diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter
index 3f962143..3174e7a9 100644
--- a/files/nftables/ipv4-filter
+++ b/files/nftables/ipv4-filter
@@ -1,7 +1,7 @@
 #! nft -f
 
 table filter {
-	chain input		{ hook NF_INET_LOCAL_IN		0; }
-	chain forward		{ hook NF_INET_FORWARD		0; }
-	chain output		{ hook NF_INET_LOCAL_OUT	0; }
+	chain input		{ type filter hook input priority 0; }
+	chain forward		{ type filter hook forward priority 0; }
+	chain output		{ type filter hook output priority 0; }
 }
diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle
index 339cacea..27327d3b 100644
--- a/files/nftables/ipv4-mangle
+++ b/files/nftables/ipv4-mangle
@@ -1,9 +1,5 @@
 #! nft -f
 
 table mangle {
-	chain prerouting	{ hook NF_INET_PRE_ROUTING	-150; }
-	chain input		{ hook NF_INET_LOCAL_IN		-150; }
-	chain forward		{ hook NF_INET_FORWARD		-150; }
-	chain output		{ hook NF_INET_LOCAL_OUT	-150; }
-	chain postrouting	{ hook NF_INET_POST_ROUTING	-150; }
+	chain output		{ type route hook output priority -150; }
 }
diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat
new file mode 100644
index 00000000..99d69514
--- /dev/null
+++ b/files/nftables/ipv4-nat
@@ -0,0 +1,6 @@
+#! nft -f
+
+table nat {
+	chain prerouting	{ type nat hook prerouting priority -150; }
+	chain postrouting	{ type nat hook postrouting priority -150; }
+}
diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter
index 9e412784..98fce02d 100644
--- a/files/nftables/ipv6-filter
+++ b/files/nftables/ipv6-filter
@@ -1,7 +1,7 @@
 #! nft -f
 
 table ip6 filter {
-	chain input		{ hook NF_INET_LOCAL_IN		0; }
-	chain forward		{ hook NF_INET_FORWARD		0; }
-	chain output		{ hook NF_INET_LOCAL_OUT	0; }
+	chain input		{ type filter hook input priority 0; }
+	chain forward		{ type filter hook forward priority 0; }
+	chain output		{ type filter hook output priority 0; }
 }
diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle
index dc18c7a8..72743532 100644
--- a/files/nftables/ipv6-mangle
+++ b/files/nftables/ipv6-mangle
@@ -1,9 +1,5 @@
 #! nft -f
 
 table ip6 mangle {
-	chain prerouting	{ hook NF_INET_PRE_ROUTING	-150; }
-	chain input		{ hook NF_INET_LOCAL_IN		-150; }
-	chain forward		{ hook NF_INET_FORWARD		-150; }
-	chain output		{ hook NF_INET_LOCAL_OUT	-150; }
-	chain postrouting	{ hook NF_INET_POST_ROUTING	-150; }
+	chain output		{ type route hook output priority -150; }
 }
diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat
new file mode 100644
index 00000000..33ecf9b6
--- /dev/null
+++ b/files/nftables/ipv6-nat
@@ -0,0 +1,6 @@
+#! nft -f
+
+table ip6 nat {
+	chain prerouting	{ type nat hook prerouting priority -150; }
+	chain postrouting	{ type nat hook postrouting priority -150; }
+}