summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2020-05-20 20:23:35 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2020-06-02 14:05:38 +0200
commitd47f1652088769a9dedb1fc5762c2d9d2e5d500b (patch)
tree14d195e031bed83c4b8f1c7add18e53579830ad7 /src
parent45f98f7451c7c3c3deb00de18683dba1970bee0c (diff)
src: add devices to an existing flowtable
This patch allows you to add new devices to an existing flowtables. # nft add flowtable x y { devices = { eth0 } \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/evaluate.c21
-rw-r--r--src/mnl.c16
2 files changed, 21 insertions, 16 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 4156d896..fbc8f1fb 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3624,17 +3624,16 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
if (table == NULL)
return table_not_found(ctx);
- ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);
- if (ft->hook.num == NF_INET_NUMHOOKS)
- return chain_error(ctx, ft, "invalid hook %s", ft->hook.name);
-
- if (!evaluate_priority(ctx, &ft->priority, NFPROTO_NETDEV, ft->hook.num))
- return __stmt_binary_error(ctx, &ft->priority.loc, NULL,
- "invalid priority expression %s.",
- expr_name(ft->priority.expr));
-
- if (!ft->dev_expr)
- return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)");
+ if (ft->hook.name) {
+ ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);
+ if (ft->hook.num == NF_INET_NUMHOOKS)
+ return chain_error(ctx, ft, "invalid hook %s",
+ ft->hook.name);
+ if (!evaluate_priority(ctx, &ft->priority, NFPROTO_NETDEV, ft->hook.num))
+ return __stmt_binary_error(ctx, &ft->priority.loc, NULL,
+ "invalid priority expression %s.",
+ expr_name(ft->priority.expr));
+ }
return 0;
}
diff --git a/src/mnl.c b/src/mnl.c
index 2890014e..8f8fcc2c 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1640,11 +1640,17 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY,
cmd->handle.family);
- nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
- cmd->flowtable->hook.num);
- mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
- BYTEORDER_HOST_ENDIAN, sizeof(int));
- nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, priority);
+
+ if (cmd->flowtable->hook.name) {
+ nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
+ cmd->flowtable->hook.num);
+ mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
+ BYTEORDER_HOST_ENDIAN, sizeof(int));
+ nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, priority);
+ } else {
+ nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM, 0);
+ nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
+ }
dev_array = nft_flowtable_dev_array(cmd);
nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,