diff options
Diffstat (limited to 'iptables/nft.c')
| -rw-r--r-- | iptables/nft.c | 78 |
1 files changed, 75 insertions, 3 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 6cb03a0d..7cd56efa 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -253,6 +253,7 @@ enum obj_update_type { NFT_COMPAT_CHAIN_USER_ADD, NFT_COMPAT_CHAIN_USER_DEL, NFT_COMPAT_CHAIN_UPDATE, + NFT_COMPAT_CHAIN_RENAME, NFT_COMPAT_RULE_APPEND, NFT_COMPAT_RULE_INSERT, NFT_COMPAT_RULE_REPLACE, @@ -468,6 +469,57 @@ struct builtin_table xtables_arp[TABLES_MAX] = { }, }; +#include <linux/netfilter_bridge.h> + +struct builtin_table xtables_bridge[TABLES_MAX] = { + [FILTER] = { + .name = "filter", + .chains = { + { + .name = "INPUT", + .type = "filter", + .prio = NF_BR_PRI_FILTER_BRIDGED, + .hook = NF_BR_LOCAL_IN, + }, + { + .name = "FORWARD", + .type = "filter", + .prio = NF_BR_PRI_FILTER_BRIDGED, + .hook = NF_BR_FORWARD, + }, + { + .name = "OUTPUT", + .type = "filter", + .prio = NF_BR_PRI_FILTER_BRIDGED, + .hook = NF_BR_LOCAL_OUT, + }, + }, + }, + [NAT] = { + .name = "nat", + .chains = { + { + .name = "PREROUTING", + .type = "filter", + .prio = NF_BR_PRI_NAT_DST_BRIDGED, + .hook = NF_BR_PRE_ROUTING, + }, + { + .name = "OUTPUT", + .type = "filter", + .prio = NF_BR_PRI_NAT_DST_OTHER, + .hook = NF_BR_LOCAL_OUT, + }, + { + .name = "POSTROUTING", + .type = "filter", + .prio = NF_BR_PRI_NAT_SRC, + .hook = NF_BR_POST_ROUTING, + }, + }, + }, +}; + int nft_table_add(struct nft_handle *h, struct nft_table *t, uint16_t flags) { char buf[MNL_SOCKET_BUFFER_SIZE]; @@ -586,7 +638,7 @@ nft_table_builtin_find(struct nft_handle *h, const char *table) for (i=0; i<TABLES_MAX; i++) { if (h->tables[i].name == NULL) - break; + continue; if (strcmp(h->tables[i].name, table) != 0) continue; @@ -1457,10 +1509,15 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, uint64_t handle; int ret; + nft_fn = nft_chain_user_add; + /* If built-in chains don't exist for this table, create them */ if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) nft_xt_builtin_init(h, table); + /* Config load changed errno. Ensure genuine info for our callers. */ + errno = 0; + /* Find the old chain to be renamed */ c = nft_chain_find(h, table, chain); if (c == NULL) { @@ -1479,7 +1536,7 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_HANDLE, handle); if (h->batch_support) { - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c); + ret = batch_chain_add(h, NFT_COMPAT_CHAIN_RENAME, c); } else { char buf[MNL_SOCKET_BUFFER_SIZE]; struct nlmsghdr *nlh; @@ -1962,6 +2019,9 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, if (iter == NULL) goto err; + if (ops->print_table_header) + ops->print_table_header(table); + c = nft_chain_list_iter_next(iter); while (c != NULL) { const char *chain_table = @@ -2225,6 +2285,10 @@ static int nft_action(struct nft_handle *h, int action) NLM_F_CREATE : 0, seq++, n->chain); break; + case NFT_COMPAT_CHAIN_RENAME: + nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN, 0, + seq++, n->chain); + break; case NFT_COMPAT_RULE_APPEND: nft_compat_rule_batch_add(h, NFT_MSG_NEWRULE, NLM_F_CREATE | NLM_F_APPEND, @@ -2358,7 +2422,7 @@ const char *nft_strerror(int err) { nft_chain_user_add, EEXIST, "Chain already exists" }, { nft_rule_add, E2BIG, "Index of insertion too big" }, { nft_rule_check, ENOENT, "Bad rule (does a matching rule exist in that chain?)" }, - { nft_rule_replace, E2BIG, "Index of replacement too big" }, + { nft_rule_replace, ENOENT, "Index of replacement too big" }, { nft_rule_delete_num, E2BIG, "Index of deletion too big" }, /* { TC_READ_COUNTER, E2BIG, "Index of counter too big" }, { TC_ZERO_COUNTER, E2BIG, "Index of counter too big" }, */ @@ -2567,3 +2631,11 @@ err: /* the core expects 1 for success and 0 for error */ return ret == 0 ? 1 : 0; } + +uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag) +{ + if (invflags & flag) + return NFT_CMP_NEQ; + + return NFT_CMP_EQ; +} |