diff options
| author | Máté Eckl <ecklm94@gmail.com> | 2018-08-03 10:55:33 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-08-14 15:32:00 +0200 |
| commit | c8a0e8c90e2d1188e6fcdd8951b295722e56d542 (patch) | |
| tree | 77b3b9afcefd7041228fe1fac2685735d54755a8 /tests/shell | |
| parent | 7da51693235248b78c502c162145539cb9dd8b6f (diff) | |
src: Set/print standard chain prios with textual names
This patch adds the possibility to use textual names to set the chain priority
to standard values so that numeric values do not need to be learnt any more for
basic usage.
Basic arithmetic can also be done with them to ease the addition of
relatively higher/lower priority chains.
Addition and substraction is possible.
Values are also printed with their friendly name within the range of
<basicprio> +- 10.
Also numeric printing is supported in case of -nnn option
(numeric == NFT_NUMERIC_ALL)
The supported name-value pairs and where they are valid is based on how
x_tables use these values when registering their base chains. (See
iptables/nft.c in the iptables repository).
Also see the compatibility matrices extracted from the man page:
Standard priority names, family and hook compatibility matrix
┌─────────┬───────┬────────────────┬─────────────┐
│Name │ Value │ Families │ Hooks │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│raw │ -300 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│mangle │ -150 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│dstnat │ -100 │ ip, ip6, inet │ prerouting │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│filter │ 0 │ ip, ip6, inet, │ all │
│ │ │ arp, netdev │ │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│security │ 50 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│srcnat │ 100 │ ip, ip6, inet │ postrouting │
└─────────┴───────┴────────────────┴─────────────┘
Standard priority names and hook compatibility for the bridge family
┌───────┬───────┬─────────────┐
│ │ │ │
│Name │ Value │ Hooks │
├───────┼───────┼─────────────┤
│ │ │ │
│dstnat │ -300 │ prerouting │
├───────┼───────┼─────────────┤
│ │ │ │
│filter │ -200 │ all │
├───────┼───────┼─────────────┤
│ │ │ │
│out │ 100 │ output │
├───────┼───────┼─────────────┤
│ │ │ │
│srcnat │ 300 │ postrouting │
└───────┴───────┴─────────────┘
This can be also applied for flowtables wher it works as a netdev family
chain.
Example:
nft> add table ip x
nft> add chain ip x y { type filter hook prerouting priority raw; }
nft> add chain ip x z { type filter hook prerouting priority mangle + 1; }
nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; }
nft> add chain ip x r { type filter hook prerouting priority filter + 10; }
nft> add chain ip x t { type filter hook prerouting priority security; }
nft> add chain ip x q { type filter hook postrouting priority srcnat + 11; }
nft> add chain ip x h { type filter hook prerouting priority 15; }
nft>
nft> add flowtable ip x y { hook ingress priority filter + 5 ; devices = {enp0s31f6}; }
nft>
nft> add table arp x
nft> add chain arp x y { type filter hook input priority filter + 5; }
nft>
nft> add table bridge x
nft> add chain bridge x y { type filter hook input priority filter + 9; }
nft> add chain bridge x z { type filter hook prerouting priority dstnat; }
nft> add chain bridge x q { type filter hook postrouting priority srcnat; }
nft> add chain bridge x k { type filter hook output priority out; }
nft>
nft> list ruleset
table ip x {
flowtable y {
hook ingress priority filter + 5
devices = { enp0s31f6 }
}
chain y {
type filter hook prerouting priority raw; policy accept;
}
chain z {
type filter hook prerouting priority mangle + 1; policy accept;
}
chain w {
type filter hook prerouting priority dstnat - 5; policy accept;
}
chain r {
type filter hook prerouting priority filter + 10; policy accept;
}
chain t {
type filter hook prerouting priority security; policy accept;
}
chain q {
type filter hook postrouting priority 111; policy accept;
}
chain h {
type filter hook prerouting priority 15; policy accept;
}
}
table arp x {
chain y {
type filter hook input priority filter + 5; policy accept;
}
}
table bridge x {
chain y {
type filter hook input priority filter + 9; policy accept;
}
chain z {
type filter hook prerouting priority dstnat; policy accept;
}
chain q {
type filter hook postrouting priority srcnat; policy accept;
}
chain k {
type filter hook output priority out; policy accept;
}
}
nft> # Everything should fail after this
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; }
Error: 'srcnat' is invalid priority in this context.
add chain ip x q { type filter hook prerouting priority srcnat + 11; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain arp x y { type filter hook input priority raw; }
Error: 'raw' is invalid priority in this context.
add chain arp x y { type filter hook input priority raw; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
Error: 'magle' is invalid priority.
add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain bridge x r { type filter hook postrouting priority dstnat; }
Error: 'dstnat' is invalid priority in this context.
add chain bridge x r { type filter hook postrouting priority dstnat; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain bridge x t { type filter hook prerouting priority srcnat; }
Error: 'srcnat' is invalid priority in this context.
add chain bridge x t { type filter hook prerouting priority srcnat; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell')
11 files changed, 12 insertions, 12 deletions
diff --git a/tests/shell/testcases/chains/dumps/0006masquerade_0.nft b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft index e4b9872b..90253a41 100644 --- a/tests/shell/testcases/chains/dumps/0006masquerade_0.nft +++ b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft @@ -1,6 +1,6 @@ table ip t { chain c1 { - type nat hook postrouting priority 0; policy accept; + type nat hook postrouting priority filter; policy accept; masquerade } } diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft index 32250699..6a1c7b81 100755 --- a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft +++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft @@ -1,6 +1,6 @@ table inet t { flowtable f { - hook ingress priority 10 + hook ingress priority filter + 10 devices = { lo } } diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft index 1ab6e864..d7e78089 100644 --- a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft @@ -1,10 +1,10 @@ table inet filter { chain ssh { - type filter hook input priority 0; policy accept; + type filter hook input priority filter; policy accept; tcp dport 22 accept } chain input { - type filter hook input priority 1; policy accept; + type filter hook input priority filter + 1; policy accept; } } diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft index 929c5d93..91c3c46b 100644 --- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft +++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft @@ -21,7 +21,7 @@ table inet x { } chain y { - type filter hook input priority 0; policy accept; + type filter hook input priority filter; policy accept; counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" } quota name ip saddr map @test drop } diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft index 78b7dec5..6204b00c 100644 --- a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft @@ -1,6 +1,6 @@ table ip t { chain c { - type filter hook output priority 0; policy accept; + type filter hook output priority filter; policy accept; ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } tcp dport { 22, 23 } counter packets 0 bytes 0 } diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft index 5d63ab20..e4daa28c 100644 --- a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft @@ -4,7 +4,7 @@ table ip filter { } chain input { - type filter hook input priority 0; policy accept; + type filter hook input priority filter; policy accept; limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic" } } } diff --git a/tests/shell/testcases/transactions/0040set_0 b/tests/shell/testcases/transactions/0040set_0 index c991b84e..a404abc8 100755 --- a/tests/shell/testcases/transactions/0040set_0 +++ b/tests/shell/testcases/transactions/0040set_0 @@ -9,7 +9,7 @@ RULESET="table ip filter { } chain FORWARD { - type filter hook forward priority 0; policy accept; + type filter hook forward priority filter; policy accept; goto client_to_any } diff --git a/tests/shell/testcases/transactions/dumps/0011chain_0.nft b/tests/shell/testcases/transactions/dumps/0011chain_0.nft index 02cdb238..df88ad47 100644 --- a/tests/shell/testcases/transactions/dumps/0011chain_0.nft +++ b/tests/shell/testcases/transactions/dumps/0011chain_0.nft @@ -1,5 +1,5 @@ table ip x { chain y { - type filter hook input priority 0; policy drop; + type filter hook input priority filter; policy drop; } } diff --git a/tests/shell/testcases/transactions/dumps/0012chain_0.nft b/tests/shell/testcases/transactions/dumps/0012chain_0.nft index 1fddecbb..b9f5e43d 100644 --- a/tests/shell/testcases/transactions/dumps/0012chain_0.nft +++ b/tests/shell/testcases/transactions/dumps/0012chain_0.nft @@ -1,5 +1,5 @@ table ip w { chain y { - type filter hook output priority 0; policy accept; + type filter hook output priority filter; policy accept; } } diff --git a/tests/shell/testcases/transactions/dumps/0013chain_0.nft b/tests/shell/testcases/transactions/dumps/0013chain_0.nft index 1fddecbb..b9f5e43d 100644 --- a/tests/shell/testcases/transactions/dumps/0013chain_0.nft +++ b/tests/shell/testcases/transactions/dumps/0013chain_0.nft @@ -1,5 +1,5 @@ table ip w { chain y { - type filter hook output priority 0; policy accept; + type filter hook output priority filter; policy accept; } } diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.nft b/tests/shell/testcases/transactions/dumps/0040set_0.nft index fe864058..a29232bf 100644 --- a/tests/shell/testcases/transactions/dumps/0040set_0.nft +++ b/tests/shell/testcases/transactions/dumps/0040set_0.nft @@ -4,7 +4,7 @@ table ip filter { } chain FORWARD { - type filter hook forward priority 0; policy accept; + type filter hook forward priority filter; policy accept; goto client_to_any } |