diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-04 02:43:44 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-15 21:56:29 +0200 |
commit | c330152b7f7779f15dba3e0862bf5616e7cb3eab (patch) | |
tree | 49c9ab5d837ab99a23e15399acb7ea610606ecfc /include/rule.h | |
parent | 1cba7a5e5e96dd920271823125b45e182f22ec82 (diff) |
src: support for implicit chain bindings
This patch allows you to group rules in a subchain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This also supports for the `goto' chain verdict.
This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.
From the shell, you have to use the explicit separator ';', in bash you
have to escape this:
# nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/rule.h')
-rw-r--r-- | include/rule.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/include/rule.h b/include/rule.h index cfb76b8a..4de7a0d9 100644 --- a/include/rule.h +++ b/include/rule.h @@ -79,6 +79,7 @@ struct handle { struct position_spec position; struct position_spec index; uint32_t set_id; + uint32_t chain_id; uint32_t rule_id; uint32_t position_id; }; @@ -155,6 +156,7 @@ struct table { struct list_head sets; struct list_head objs; struct list_head flowtables; + struct list_head chain_bindings; enum table_flags flags; unsigned int refcnt; }; @@ -176,6 +178,7 @@ extern struct table *table_lookup_fuzzy(const struct handle *h, enum chain_flags { CHAIN_F_BASECHAIN = 0x1, CHAIN_F_HW_OFFLOAD = 0x2, + CHAIN_F_BINDING = 0x4, }; /** @@ -244,12 +247,16 @@ extern struct chain *chain_lookup(const struct table *table, extern struct chain *chain_lookup_fuzzy(const struct handle *h, const struct nft_cache *cache, const struct table **table); +extern struct chain *chain_binding_lookup(const struct table *table, + const char *chain_name); extern const char *family2str(unsigned int family); extern const char *hooknum2str(unsigned int family, unsigned int hooknum); extern const char *chain_policy2str(uint32_t policy); extern void chain_print_plain(const struct chain *chain, struct output_ctx *octx); +extern void chain_rules_print(const struct chain *chain, + struct output_ctx *octx, const char *indent); /** * struct rule - nftables rule |