From 6c43069e5f2a55d769ec6d362bc863af906591d0 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 4 Jun 2015 20:58:59 +0200
Subject: src: add netdev family support

This patch adds support for the new 'netdev' table. So far, this table allows
you to create filter chains from ingress.

The following example shows a very simple base configuration with one table that
contains a basechain that is attached to the 'eth0':

 # nft list table netdev filter
 table netdev filter {
        chain eth0-ingress {
                type filter hook ingress device eth0 priority 0; policy accept;
        }
 }

You can test that this works by adding a simple rule with counters:

 # nft add rule netdev filter eth0-ingress counter

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

(limited to 'src/rule.c')

diff --git a/src/rule.c b/src/rule.c
index b2090ddd..f930a374 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -333,6 +333,7 @@ static const char *chain_hookname_str_array[] = {
 	"forward",
 	"postrouting",
 	"output",
+	"ingress",
 	NULL,
 };
 
@@ -398,6 +399,8 @@ const char *family2str(unsigned int family)
 			return "ip6";
 		case NFPROTO_INET:
 			return "inet";
+		case NFPROTO_NETDEV:
+			return "netdev";
 		case NFPROTO_ARP:
 			return "arp";
 		case NFPROTO_BRIDGE:
@@ -441,6 +444,13 @@ static const char *hooknum2str(unsigned int family, unsigned int hooknum)
 		default:
 			break;
 		}
+		break;
+	case NFPROTO_NETDEV:
+		switch (hooknum) {
+		case NF_NETDEV_INGRESS:
+			return "ingress";
+		}
+		break;
 	default:
 		break;
 	};
@@ -465,10 +475,17 @@ static void chain_print(const struct chain *chain)
 
 	printf("\tchain %s {\n", chain->handle.chain);
 	if (chain->flags & CHAIN_F_BASECHAIN) {
-		printf("\t\ttype %s hook %s priority %d; policy %s;\n",
-		       chain->type,
-		       hooknum2str(chain->handle.family, chain->hooknum),
-		       chain->priority, chain_policy2str(chain->policy));
+		if (chain->dev != NULL) {
+			printf("\t\ttype %s hook %s device %s priority %d;\n",
+			       chain->type,
+			       hooknum2str(chain->handle.family, chain->hooknum),
+			       chain->dev, chain->priority);
+		} else {
+			printf("\t\ttype %s hook %s priority %d;\n",
+			       chain->type,
+			       hooknum2str(chain->handle.family, chain->hooknum),
+			       chain->priority);
+		}
 	}
 	list_for_each_entry(rule, &chain->rules, list) {
 		printf("\t\t");
-- 
cgit v1.2.3