diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-03-17 16:36:15 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-03-17 17:26:03 +0100 |
commit | acdfae9c3126ff8716c93713f13e8e31a85d5e95 (patch) | |
tree | 3b6c0d51c0062c54243d62565330ea99bba6ab23 /src/rule.c | |
parent | ac3a68fb768b7f0e20493038139faa4704dc1846 (diff) |
src: allow to specify the default policy for base chains
The new syntax is:
nft add chain filter input { hook input type filter priority 0\; policy accept\; }
but the previous syntax is still allowed:
nft add chain filter input { hook input type filter priority 0\; }
this assumes default policy to accept.
If the base chain already exists, you can update the policy via:
nft add chain filter input { policy drop\; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 23 |
1 files changed, 19 insertions, 4 deletions
@@ -336,6 +336,8 @@ struct chain *chain_alloc(const char *name) init_list_head(&chain->scope.symbols); if (name != NULL) chain->handle.chain = xstrdup(name); + + chain->policy = -1; return chain; } @@ -425,15 +427,27 @@ static const char *hooknum2str(unsigned int family, unsigned int hooknum) return "unknown"; } +static const char *chain_policy2str(uint32_t policy) +{ + switch (policy) { + case NF_DROP: + return "drop"; + case NF_ACCEPT: + return "accept"; + } + return "unknown"; +} + static void chain_print(const struct chain *chain) { struct rule *rule; printf("\tchain %s {\n", chain->handle.chain); if (chain->flags & CHAIN_F_BASECHAIN) { - printf("\t\t type %s hook %s priority %d;\n", chain->type, + printf("\t\t type %s hook %s priority %d; policy %s;\n", + chain->type, hooknum2str(chain->handle.family, chain->hooknum), - chain->priority); + chain->priority, chain_policy2str(chain->policy)); } list_for_each_entry(rule, &chain->rules, list) { printf("\t\t"); @@ -452,9 +466,10 @@ void chain_print_plain(const struct chain *chain) chain->handle.table, chain->handle.chain); if (chain->flags & CHAIN_F_BASECHAIN) { - printf(" { type %s hook %s priority %d; }", chain->type, + printf(" { type %s hook %s priority %d; policy %s; }", + chain->type, hooknum2str(chain->handle.family, chain->hooknum), - chain->priority); + chain->priority, chain_policy2str(chain->policy)); } printf("\n"); |