From c8a0e8c90e2d1188e6fcdd8951b295722e56d542 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Eckl?= Date: Fri, 3 Aug 2018 10:55:33 +0200 Subject: src: Set/print standard chain prios with textual names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch adds the possibility to use textual names to set the chain priority to standard values so that numeric values do not need to be learnt any more for basic usage. Basic arithmetic can also be done with them to ease the addition of relatively higher/lower priority chains. Addition and substraction is possible. Values are also printed with their friendly name within the range of +- 10. Also numeric printing is supported in case of -nnn option (numeric == NFT_NUMERIC_ALL) The supported name-value pairs and where they are valid is based on how x_tables use these values when registering their base chains. (See iptables/nft.c in the iptables repository). Also see the compatibility matrices extracted from the man page: Standard priority names, family and hook compatibility matrix ┌─────────┬───────┬────────────────┬─────────────┐ │Name │ Value │ Families │ Hooks │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │raw │ -300 │ ip, ip6, inet │ all │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │mangle │ -150 │ ip, ip6, inet │ all │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │dstnat │ -100 │ ip, ip6, inet │ prerouting │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │filter │ 0 │ ip, ip6, inet, │ all │ │ │ │ arp, netdev │ │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │security │ 50 │ ip, ip6, inet │ all │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │srcnat │ 100 │ ip, ip6, inet │ postrouting │ └─────────┴───────┴────────────────┴─────────────┘ Standard priority names and hook compatibility for the bridge family ┌───────┬───────┬─────────────┐ │ │ │ │ │Name │ Value │ Hooks │ ├───────┼───────┼─────────────┤ │ │ │ │ │dstnat │ -300 │ prerouting │ ├───────┼───────┼─────────────┤ │ │ │ │ │filter │ -200 │ all │ ├───────┼───────┼─────────────┤ │ │ │ │ │out │ 100 │ output │ ├───────┼───────┼─────────────┤ │ │ │ │ │srcnat │ 300 │ postrouting │ └───────┴───────┴─────────────┘ This can be also applied for flowtables wher it works as a netdev family chain. Example: nft> add table ip x nft> add chain ip x y { type filter hook prerouting priority raw; } nft> add chain ip x z { type filter hook prerouting priority mangle + 1; } nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; } nft> add chain ip x r { type filter hook prerouting priority filter + 10; } nft> add chain ip x t { type filter hook prerouting priority security; } nft> add chain ip x q { type filter hook postrouting priority srcnat + 11; } nft> add chain ip x h { type filter hook prerouting priority 15; } nft> nft> add flowtable ip x y { hook ingress priority filter + 5 ; devices = {enp0s31f6}; } nft> nft> add table arp x nft> add chain arp x y { type filter hook input priority filter + 5; } nft> nft> add table bridge x nft> add chain bridge x y { type filter hook input priority filter + 9; } nft> add chain bridge x z { type filter hook prerouting priority dstnat; } nft> add chain bridge x q { type filter hook postrouting priority srcnat; } nft> add chain bridge x k { type filter hook output priority out; } nft> nft> list ruleset table ip x { flowtable y { hook ingress priority filter + 5 devices = { enp0s31f6 } } chain y { type filter hook prerouting priority raw; policy accept; } chain z { type filter hook prerouting priority mangle + 1; policy accept; } chain w { type filter hook prerouting priority dstnat - 5; policy accept; } chain r { type filter hook prerouting priority filter + 10; policy accept; } chain t { type filter hook prerouting priority security; policy accept; } chain q { type filter hook postrouting priority 111; policy accept; } chain h { type filter hook prerouting priority 15; policy accept; } } table arp x { chain y { type filter hook input priority filter + 5; policy accept; } } table bridge x { chain y { type filter hook input priority filter + 9; policy accept; } chain z { type filter hook prerouting priority dstnat; policy accept; } chain q { type filter hook postrouting priority srcnat; policy accept; } chain k { type filter hook output priority out; policy accept; } } nft> # Everything should fail after this nft> add chain ip x h { type filter hook prerouting priority first; } Error: 'first' is invalid priority in this context. add chain ip x h { type filter hook prerouting priority first; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; } Error: 'srcnat' is invalid priority in this context. add chain ip x q { type filter hook prerouting priority srcnat + 11; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add chain arp x y { type filter hook input priority raw; } Error: 'raw' is invalid priority in this context. add chain arp x y { type filter hook input priority raw; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; } Error: 'magle' is invalid priority. add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add chain bridge x r { type filter hook postrouting priority dstnat; } Error: 'dstnat' is invalid priority in this context. add chain bridge x r { type filter hook postrouting priority dstnat; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add chain bridge x t { type filter hook prerouting priority srcnat; } Error: 'srcnat' is invalid priority in this context. add chain bridge x t { type filter hook prerouting priority srcnat; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Máté Eckl Signed-off-by: Pablo Neira Ayuso --- doc/nft.txt | 56 +++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 49 insertions(+), 7 deletions(-) (limited to 'doc/nft.txt') diff --git a/doc/nft.txt b/doc/nft.txt index 6c73bc5a..2a1a2977 100644 --- a/doc/nft.txt +++ b/doc/nft.txt @@ -37,7 +37,7 @@ For a full summary of options, run *nft --help*. Show data numerically. When used once (the default behaviour), skip lookup of addresses to symbolic names. Use twice to also show Internet services (port numbers) numerically. Use three times to also show - protocols and UIDs/GIDs numerically. + protocols, UIDs/GIDs and priorities numerically. *-s*:: *--stateless*:: @@ -345,13 +345,51 @@ further quirks worth noticing: * arp family supports only *input* and *output* hooks, both in chains of type *filter*. -The *priority* parameter accepts a signed integer value which specifies the -order in which chains with same *hook* value are traversed. The ordering is -ascending, i.e. lower priority values have precedence over higher ones. +The *priority* parameter accepts a signed integer value or a standard priority +name which specifies the order in which chains with same *hook* value are +traversed. The ordering is ascending, i.e. lower priority values have precedence +over higher ones. -Base chains also allow to set the chain's *policy*, i.e. what happens to packets -not explicitly accepted or refused in contained rules. Supported policy values -are *accept* (which is the default) or *drop*. +Standard priority values can be replaced with easily memorizable names. Not all +names make sense in every family with every hook (see the compatibility matrices +below) but their numerical value can still be used for prioritizing chains. + +These names and values are defined and made available based on what priorities +are used by xtables when registering their default chains. + +Most of the families use the same values, but bridge uses different ones from +the others. See the following tables that describe the values and compatibility. + +.Standard priority names, family and hook compatibility matrix +[options="header"] +|================== +| Name | Value | Families | Hooks +| raw | -300 | ip, ip6, inet | all +| mangle | -150 | ip, ip6, inet | all +| dstnat | -100 | ip, ip6, inet | prerouting +| filter | 0 | ip, ip6, inet, arp, netdev | all +| security | 50 | ip, ip6, inet | all +| srcnat | 100 | ip, ip6, inet | postrouting +|=================== + +.Standard priority names and hook compatibility for the bridge family +[option="header"] +|================== +| Name | Value | Hooks +| dstnat | -300 | prerouting +| filter | -200 | all +| out | 100 | output +| srcnat | 300 | postrouting +|================== + +Basic arithmetic expressions (addition and substraction) can also be achieved +with these standard names to ease relative prioritizing, eg. *mangle - 5* stands +for *-155*. Values will also be printed like this untill the value is not +further than 10 form the standard value. + +Base chains also allow to set the chain's *policy*, i.e. what happens to +packets not explicitly accepted or refused in contained rules. Supported policy +values are *accept* (which is the default) or *drop*. RULES ----- @@ -545,6 +583,10 @@ family and their name. The address family must be one of ip, ip6, inet. The inet address family is a dummy family which is used to create hybrid IPv4/IPv6 tables. When no address family is specified, ip is used by default. +The *priority* can be a signed integer or *filter* which stands for 0. Addition +and substraction can be used to set relative priority eg. filter + 5 equals to +5. + [horizontal] *add*:: Add a new flowtable for the given family with the given name. *delete*:: Delete the specified flowtable. -- cgit v1.2.3