diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-19 11:50:01 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-24 22:48:42 +0200 |
| commit | a66b5ad9540dd64c7c67006201b8b3ccf8e4316b (patch) | |
| tree | d642bd18f44fa6672a27126c63cc2fb991120423 /tests/shell/testcases/chains/dumps/netdev_chain_0.nft | |
| parent | 99b56d4ee1442ccfa0aadde3cb3ecee74a4de815 (diff) | |
src: allow for updating devices on existing netdev chain
This patch allows you to add/remove devices to an existing chain:
# cat ruleset.nft
table netdev x {
chain y {
type filter hook ingress devices = { eth0 } priority 0; policy accept;
}
}
# nft -f ruleset.nft
# nft add chain netdev x y '{ devices = { eth1 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth0, eth1 } priority 0; policy accept;
}
}
# nft delete chain netdev x y '{ devices = { eth0 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth1 } priority 0; policy accept;
}
}
This feature allows for creating an empty netdev chain, with no devices.
In such case, no packets are seen until a device is registered.
This patch includes extended netlink error reporting:
# nft add chain netdev x y '{ devices = { x } ; }'
Error: Could not process rule: No such file or directory
add chain netdev x y { devices = { x } ; }
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/chains/dumps/netdev_chain_0.nft')
| -rw-r--r-- | tests/shell/testcases/chains/dumps/netdev_chain_0.nft | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft new file mode 100644 index 00000000..bc02dc18 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft @@ -0,0 +1,5 @@ +table netdev x { + chain y { + type filter hook ingress devices = { d0, d1 } priority filter; policy accept; + } +} |