diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-04 02:43:44 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-15 21:56:29 +0200 |
| commit | c330152b7f7779f15dba3e0862bf5616e7cb3eab (patch) | |
| tree | 49c9ab5d837ab99a23e15399acb7ea610606ecfc /tests/shell/testcases | |
| parent | 1cba7a5e5e96dd920271823125b45e182f22ec82 (diff) | |
src: support for implicit chain bindings
This patch allows you to group rules in a subchain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This also supports for the `goto' chain verdict.
This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.
From the shell, you have to use the explicit separator ';', in bash you
have to escape this:
# nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
| -rwxr-xr-x | tests/shell/testcases/chains/0041chain_binding_0 | 18 | ||||
| -rw-r--r-- | tests/shell/testcases/chains/dumps/0041chain_binding_0.nft | 12 |
2 files changed, 30 insertions, 0 deletions
diff --git a/tests/shell/testcases/chains/0041chain_binding_0 b/tests/shell/testcases/chains/0041chain_binding_0 new file mode 100755 index 00000000..59bdbe9f --- /dev/null +++ b/tests/shell/testcases/chains/0041chain_binding_0 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet x { + chain y { + type filter hook input priority 0; + meta l4proto { tcp, udp } th dport 53 jump { + ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter accept + ip6 saddr ::1/128 counter accept + } + } +}" + +$NFT -f - <<< $EXPECTED +$NFT add rule inet x y meta l4proto icmpv6 jump { counter accept\; } +$NFT add rule inet x y meta l4proto sctp jump { drop\; } +$NFT delete rule inet x y handle 13 diff --git a/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft new file mode 100644 index 00000000..520203d8 --- /dev/null +++ b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft @@ -0,0 +1,12 @@ +table inet x { + chain y { + type filter hook input priority filter; policy accept; + meta l4proto { tcp, udp } th dport 53 jump { + ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter packets 0 bytes 0 accept + ip6 saddr ::1 counter packets 0 bytes 0 accept + } + meta l4proto ipv6-icmp jump { + counter packets 0 bytes 0 accept + } + } +} |