Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | tests/shell: add and use chain binding feature probe | Florian Westphal | 2023-09-18 | 1 | -0/+5 |
| | | | | | | | | | | Alter 30s-stress to suppress anon chains when its unuspported. Note that 30s-stress is optionally be run standalone, so also update the test script. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Thomas Haller <thaller@redhat.com> | ||||
* | evaluate: init cmd pointer for new on-stack context | Florian Westphal | 2022-03-04 | 1 | -0/+6 |
| | | | | | | | else, this will segfault when trying to print the "table 'x' doesn't exist" error message. Signed-off-by: Florian Westphal <fw@strlen.de> | ||||
* | src: support for implicit chain bindings | Pablo Neira Ayuso | 2020-07-15 | 1 | -0/+18 |
This patch allows you to group rules in a subchain, e.g. table inet x { chain y { type filter hook input priority 0; tcp dport 22 jump { ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept ip6 saddr ::1/128 accept; } } } This also supports for the `goto' chain verdict. This patch adds a new chain binding list to avoid a chain list lookup from the delinearize path for the usual chains. This can be simplified later on with a single hashtable per table for all chains. From the shell, you have to use the explicit separator ';', in bash you have to escape this: # nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |