diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-03-17 16:36:15 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-03-17 17:26:03 +0100 |
commit | acdfae9c3126ff8716c93713f13e8e31a85d5e95 (patch) | |
tree | 3b6c0d51c0062c54243d62565330ea99bba6ab23 /src/netlink.c | |
parent | ac3a68fb768b7f0e20493038139faa4704dc1846 (diff) |
src: allow to specify the default policy for base chains
The new syntax is:
nft add chain filter input { hook input type filter priority 0\; policy accept\; }
but the previous syntax is still allowed:
nft add chain filter input { hook input type filter priority 0\; }
this assumes default policy to accept.
If the base chain already exists, you can update the policy via:
nft add chain filter input { policy drop\; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r-- | src/netlink.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/netlink.c b/src/netlink.c index 8c37ec5d..2d1fb793 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -508,6 +508,10 @@ static int netlink_add_chain_compat(struct netlink_ctx *ctx, nft_chain_attr_set_str(nlc, NFT_CHAIN_ATTR_TYPE, chain->type); } + if (chain->policy != -1) + nft_chain_attr_set_u32(nlc, NFT_CHAIN_ATTR_POLICY, + chain->policy); + netlink_dump_chain(nlc); err = mnl_nft_chain_add(nf_sock, nlc, excl ? NLM_F_EXCL : 0); nft_chain_free(nlc); @@ -535,6 +539,10 @@ static int netlink_add_chain_batch(struct netlink_ctx *ctx, nft_chain_attr_set_str(nlc, NFT_CHAIN_ATTR_TYPE, chain->type); } + if (chain->policy != -1) + nft_chain_attr_set_u32(nlc, NFT_CHAIN_ATTR_POLICY, + chain->policy); + netlink_dump_chain(nlc); err = mnl_nft_chain_batch_add(nlc, excl ? NLM_F_EXCL : 0, ctx->seqnum); @@ -665,13 +673,16 @@ static struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, if (nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_HOOKNUM) && nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_PRIO) && - nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_TYPE)) { + nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_TYPE) && + nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_POLICY)) { chain->hooknum = nft_chain_attr_get_u32(nlc, NFT_CHAIN_ATTR_HOOKNUM); chain->priority = nft_chain_attr_get_s32(nlc, NFT_CHAIN_ATTR_PRIO); chain->type = xstrdup(nft_chain_attr_get_str(nlc, NFT_CHAIN_ATTR_TYPE)); + chain->policy = + nft_chain_attr_get_u32(nlc, NFT_CHAIN_ATTR_POLICY); chain->flags |= CHAIN_F_BASECHAIN; } |