diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-04 02:43:44 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-15 21:56:29 +0200 |
commit | c330152b7f7779f15dba3e0862bf5616e7cb3eab (patch) | |
tree | 49c9ab5d837ab99a23e15399acb7ea610606ecfc /include/statement.h | |
parent | 1cba7a5e5e96dd920271823125b45e182f22ec82 (diff) |
src: support for implicit chain bindings
This patch allows you to group rules in a subchain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This also supports for the `goto' chain verdict.
This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.
From the shell, you have to use the explicit separator ';', in bash you
have to escape this:
# nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/statement.h')
-rw-r--r-- | include/statement.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/include/statement.h b/include/statement.h index 061bc619..f2fc6ade 100644 --- a/include/statement.h +++ b/include/statement.h @@ -11,6 +11,14 @@ extern struct stmt *expr_stmt_alloc(const struct location *loc, extern struct stmt *verdict_stmt_alloc(const struct location *loc, struct expr *expr); +struct chain_stmt { + struct chain *chain; + struct expr *expr; +}; + +struct stmt *chain_stmt_alloc(const struct location *loc, struct chain *chain, + enum nft_verdicts verdict); + struct flow_stmt { const char *table_name; }; @@ -287,6 +295,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc); * @STMT_CONNLIMIT: connection limit statement * @STMT_MAP: map statement * @STMT_SYNPROXY: synproxy statement + * @STMT_CHAIN: chain statement */ enum stmt_types { STMT_INVALID, @@ -315,6 +324,7 @@ enum stmt_types { STMT_CONNLIMIT, STMT_MAP, STMT_SYNPROXY, + STMT_CHAIN, }; /** @@ -380,6 +390,7 @@ struct stmt { struct flow_stmt flow; struct map_stmt map; struct synproxy_stmt synproxy; + struct chain_stmt chain; }; }; |