From 57f844782fa86660ce16b79b485ec34729bce4f7 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Mon, 16 Sep 2013 18:27:37 +0200 Subject: Update chain creation format. type keyword is now mandatory when creating a new chain. This patc halso implement the change required following the usage of human notation in hook. It also suppressed non currently supported mangle chains. Signed-off-by: Eric Leblond Signed-off-by: Pablo Neira Ayuso --- files/nftables/bridge-filter | 6 +++--- files/nftables/ipv4-filter | 6 +++--- files/nftables/ipv4-mangle | 6 +----- files/nftables/ipv4-nat | 6 ++++++ files/nftables/ipv6-filter | 6 +++--- files/nftables/ipv6-mangle | 6 +----- files/nftables/ipv6-nat | 6 ++++++ 7 files changed, 23 insertions(+), 19 deletions(-) create mode 100644 files/nftables/ipv4-nat create mode 100644 files/nftables/ipv6-nat (limited to 'files') diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter index ca306d48..54779c4a 100644 --- a/files/nftables/bridge-filter +++ b/files/nftables/bridge-filter @@ -1,7 +1,7 @@ #! nft -f table bridge filter { - chain input { hook NF_INET_LOCAL_IN -200; } - chain forward { hook NF_INET_FORWARD -200; } - chain output { hook NF_INET_LOCAL_OUT 200; } + chain input { type filter hook input priority -200; } + chain forward { type filter hook forward priority -200; } + chain output { type filter hook output priority 200; } } diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter index 3f962143..3174e7a9 100644 --- a/files/nftables/ipv4-filter +++ b/files/nftables/ipv4-filter @@ -1,7 +1,7 @@ #! nft -f table filter { - chain input { hook NF_INET_LOCAL_IN 0; } - chain forward { hook NF_INET_FORWARD 0; } - chain output { hook NF_INET_LOCAL_OUT 0; } + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } } diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle index 339cacea..27327d3b 100644 --- a/files/nftables/ipv4-mangle +++ b/files/nftables/ipv4-mangle @@ -1,9 +1,5 @@ #! nft -f table mangle { - chain prerouting { hook NF_INET_PRE_ROUTING -150; } - chain input { hook NF_INET_LOCAL_IN -150; } - chain forward { hook NF_INET_FORWARD -150; } - chain output { hook NF_INET_LOCAL_OUT -150; } - chain postrouting { hook NF_INET_POST_ROUTING -150; } + chain output { type route hook output priority -150; } } diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat new file mode 100644 index 00000000..99d69514 --- /dev/null +++ b/files/nftables/ipv4-nat @@ -0,0 +1,6 @@ +#! nft -f + +table nat { + chain prerouting { type nat hook prerouting priority -150; } + chain postrouting { type nat hook postrouting priority -150; } +} diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter index 9e412784..98fce02d 100644 --- a/files/nftables/ipv6-filter +++ b/files/nftables/ipv6-filter @@ -1,7 +1,7 @@ #! nft -f table ip6 filter { - chain input { hook NF_INET_LOCAL_IN 0; } - chain forward { hook NF_INET_FORWARD 0; } - chain output { hook NF_INET_LOCAL_OUT 0; } + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } } diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle index dc18c7a8..72743532 100644 --- a/files/nftables/ipv6-mangle +++ b/files/nftables/ipv6-mangle @@ -1,9 +1,5 @@ #! nft -f table ip6 mangle { - chain prerouting { hook NF_INET_PRE_ROUTING -150; } - chain input { hook NF_INET_LOCAL_IN -150; } - chain forward { hook NF_INET_FORWARD -150; } - chain output { hook NF_INET_LOCAL_OUT -150; } - chain postrouting { hook NF_INET_POST_ROUTING -150; } + chain output { type route hook output priority -150; } } diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat new file mode 100644 index 00000000..33ecf9b6 --- /dev/null +++ b/files/nftables/ipv6-nat @@ -0,0 +1,6 @@ +#! nft -f + +table ip6 nat { + chain prerouting { type nat hook prerouting priority -150; } + chain postrouting { type nat hook postrouting priority -150; } +} -- cgit v1.2.3