diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-04 20:58:59 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-16 18:22:43 +0200 |
| commit | 6c43069e5f2a55d769ec6d362bc863af906591d0 (patch) | |
| tree | 24a979dfd7b04c5b57d2c02ffd996343325fdb60 /src/parser_bison.y | |
| parent | 1e743925a597055c82200540a7c8c3e2ec506878 (diff) | |
src: add netdev family support
This patch adds support for the new 'netdev' table. So far, this table allows
you to create filter chains from ingress.
The following example shows a very simple base configuration with one table that
contains a basechain that is attached to the 'eth0':
# nft list table netdev filter
table netdev filter {
chain eth0-ingress {
type filter hook ingress device eth0 priority 0; policy accept;
}
}
You can test that this works by adding a simple rule with counters:
# nft add rule netdev filter eth0-ingress counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
| -rw-r--r-- | src/parser_bison.y | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index eac3fcbe..fab4c52e 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -165,6 +165,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token DEFINE "define" %token HOOK "hook" +%token DEVICE "device" %token TABLE "table" %token TABLES "tables" %token CHAIN "chain" @@ -179,6 +180,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token RULESET "ruleset" %token INET "inet" +%token NETDEV "netdev" %token ADD "add" %token UPDATE "update" @@ -1090,6 +1092,37 @@ hook_spec : TYPE STRING HOOK STRING PRIORITY NUM $<chain>0->priority = -$7; $<chain>0->flags |= CHAIN_F_BASECHAIN; } + | TYPE STRING HOOK STRING DEVICE STRING PRIORITY NUM + { + $<chain>0->type = chain_type_name_lookup($2); + if ($<chain>0->type == NULL) { + erec_queue(error(&@2, "unknown chain type %s", $2), + state->msgs); + YYERROR; + } + $<chain>0->hookstr = chain_hookname_lookup($4); + if ($<chain>0->hookstr == NULL) { + erec_queue(error(&@4, "unknown chain hook %s", $4), + state->msgs); + YYERROR; + } + $<chain>0->dev = $6; + $<chain>0->priority = $8; + $<chain>0->flags |= CHAIN_F_BASECHAIN; + } + | TYPE STRING HOOK STRING DEVICE STRING PRIORITY DASH NUM + { + $<chain>0->type = chain_type_name_lookup($2); + if ($<chain>0->type == NULL) { + erec_queue(error(&@2, "unknown type name %s", $2), + state->msgs); + YYERROR; + } + $<chain>0->hookstr = chain_hookname_lookup($4); + $<chain>0->dev = $6; + $<chain>0->priority = -$9; + $<chain>0->flags |= CHAIN_F_BASECHAIN; + } ; policy_spec : POLICY chain_policy @@ -1137,6 +1170,7 @@ family_spec_explicit : IP { $$ = NFPROTO_IPV4; } | INET { $$ = NFPROTO_INET; } | ARP { $$ = NFPROTO_ARP; } | BRIDGE { $$ = NFPROTO_BRIDGE; } + | NETDEV { $$ = NFPROTO_NETDEV; } ; table_spec : family_spec identifier |