diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-04 20:58:59 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-16 18:22:43 +0200 |
commit | 6c43069e5f2a55d769ec6d362bc863af906591d0 (patch) | |
tree | 24a979dfd7b04c5b57d2c02ffd996343325fdb60 /src/rule.c | |
parent | 1e743925a597055c82200540a7c8c3e2ec506878 (diff) |
src: add netdev family support
This patch adds support for the new 'netdev' table. So far, this table allows
you to create filter chains from ingress.
The following example shows a very simple base configuration with one table that
contains a basechain that is attached to the 'eth0':
# nft list table netdev filter
table netdev filter {
chain eth0-ingress {
type filter hook ingress device eth0 priority 0; policy accept;
}
}
You can test that this works by adding a simple rule with counters:
# nft add rule netdev filter eth0-ingress counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 25 |
1 files changed, 21 insertions, 4 deletions
@@ -333,6 +333,7 @@ static const char *chain_hookname_str_array[] = { "forward", "postrouting", "output", + "ingress", NULL, }; @@ -398,6 +399,8 @@ const char *family2str(unsigned int family) return "ip6"; case NFPROTO_INET: return "inet"; + case NFPROTO_NETDEV: + return "netdev"; case NFPROTO_ARP: return "arp"; case NFPROTO_BRIDGE: @@ -441,6 +444,13 @@ static const char *hooknum2str(unsigned int family, unsigned int hooknum) default: break; } + break; + case NFPROTO_NETDEV: + switch (hooknum) { + case NF_NETDEV_INGRESS: + return "ingress"; + } + break; default: break; }; @@ -465,10 +475,17 @@ static void chain_print(const struct chain *chain) printf("\tchain %s {\n", chain->handle.chain); if (chain->flags & CHAIN_F_BASECHAIN) { - printf("\t\ttype %s hook %s priority %d; policy %s;\n", - chain->type, - hooknum2str(chain->handle.family, chain->hooknum), - chain->priority, chain_policy2str(chain->policy)); + if (chain->dev != NULL) { + printf("\t\ttype %s hook %s device %s priority %d;\n", + chain->type, + hooknum2str(chain->handle.family, chain->hooknum), + chain->dev, chain->priority); + } else { + printf("\t\ttype %s hook %s priority %d;\n", + chain->type, + hooknum2str(chain->handle.family, chain->hooknum), + chain->priority); + } } list_for_each_entry(rule, &chain->rules, list) { printf("\t\t"); |