diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-19 11:50:01 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-24 22:48:42 +0200 |
| commit | a66b5ad9540dd64c7c67006201b8b3ccf8e4316b (patch) | |
| tree | d642bd18f44fa6672a27126c63cc2fb991120423 /tests/shell/testcases/chains/netdev_chain_0 | |
| parent | 99b56d4ee1442ccfa0aadde3cb3ecee74a4de815 (diff) | |
src: allow for updating devices on existing netdev chain
This patch allows you to add/remove devices to an existing chain:
# cat ruleset.nft
table netdev x {
chain y {
type filter hook ingress devices = { eth0 } priority 0; policy accept;
}
}
# nft -f ruleset.nft
# nft add chain netdev x y '{ devices = { eth1 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth0, eth1 } priority 0; policy accept;
}
}
# nft delete chain netdev x y '{ devices = { eth0 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth1 } priority 0; policy accept;
}
}
This feature allows for creating an empty netdev chain, with no devices.
In such case, no packets are seen until a device is registered.
This patch includes extended netlink error reporting:
# nft add chain netdev x y '{ devices = { x } ; }'
Error: Could not process rule: No such file or directory
add chain netdev x y { devices = { x } ; }
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases/chains/netdev_chain_0')
| -rwxr-xr-x | tests/shell/testcases/chains/netdev_chain_0 | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/tests/shell/testcases/chains/netdev_chain_0 b/tests/shell/testcases/chains/netdev_chain_0 new file mode 100755 index 00000000..67cd715f --- /dev/null +++ b/tests/shell/testcases/chains/netdev_chain_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +ip link add d0 type dummy || { + echo "Skipping, no dummy interface available" + exit 0 +} +trap "ip link del d0" EXIT + +ip link add d1 type dummy || { + echo "Skipping, no dummy interface available" + exit 0 +} +trap "ip link del d1" EXIT + +ip link add d2 type dummy || { + echo "Skipping, no dummy interface available" + exit 0 +} +trap "ip link del d2" EXIT + +set -e + +RULESET="table netdev x { + chain y { + type filter hook ingress priority 0; policy accept; + } +}" + +$NFT -f - <<< "$RULESET" + +$NFT add chain netdev x y '{ devices = { d0 }; }' +$NFT add chain netdev x y '{ devices = { d1, d2, lo }; }' +$NFT delete chain netdev x y '{ devices = { lo }; }' |