blob: ada1d92a047a0fe30f8bc15008eab5cefb99a436 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
#!/bin/bash
set -e
format_offset () {
i=$1
if ((i == 0))
then
echo ""
elif ((i > 0))
then
echo "+$i"
else
echo "$i"
fi
}
chainname () {
hook=$1
prioname=$2
priooffset=$3
echo "${hook}${prioname}${priooffset}" | tr "\-+" "mp"
}
gen_chains () {
family=$1
hook=$2
prioname=$3
for i in -11 -10 0 10 11
do
offset=`format_offset $i`
$NFT add chain $family x `chainname $hook $prioname $offset` "{ type filter hook $hook priority $prioname $offset; }"
done
}
for family in ip ip6 inet
do
$NFT add table $family x
for hook in prerouting input forward output postrouting
do
for prioname in raw mangle filter security
do
gen_chains $family $hook $prioname
done
done
hook=prerouting
prioname=dstnat
gen_chains $family $hook $prioname
hook=postrouting
prioname=srcnat
gen_chains $family $hook $prioname
done
family=arp
$NFT add table $family x
for hook in input output
do
prioname=filter
gen_chains $family $hook $prioname
done
family=netdev
$NFT add table $family x
hook=ingress
prioname=filter
for i in -11 -10 0 10 11
do
offset=`format_offset $i`
$NFT add chain $family x `chainname $hook $prioname $offset` "{ type filter hook $hook device lo priority $prioname $offset; }"
done
family=bridge
$NFT add table $family x
for hook in prerouting input forward output postrouting
do
prioname=filter
gen_chains $family $hook $prioname
done
hook=prerouting
prioname=dstnat
gen_chains $family $hook $prioname
hook=output
prioname=out
gen_chains $family $hook $prioname
hook=postrouting
prioname=srcnat
gen_chains $family $hook $prioname
|