diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-04 20:58:59 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-16 18:22:43 +0200 |
| commit | 6c43069e5f2a55d769ec6d362bc863af906591d0 (patch) | |
| tree | 24a979dfd7b04c5b57d2c02ffd996343325fdb60 /include | |
| parent | 1e743925a597055c82200540a7c8c3e2ec506878 (diff) | |
src: add netdev family support
This patch adds support for the new 'netdev' table. So far, this table allows
you to create filter chains from ingress.
The following example shows a very simple base configuration with one table that
contains a basechain that is attached to the 'eth0':
# nft list table netdev filter
table netdev filter {
chain eth0-ingress {
type filter hook ingress device eth0 priority 0; policy accept;
}
}
You can test that this works by adding a simple rule with counters:
# nft add rule netdev filter eth0-ingress counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter.h | 8 | ||||
| -rw-r--r-- | include/rule.h | 2 |
2 files changed, 10 insertions, 0 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index be0bc182..18075f95 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -32,6 +32,7 @@ #define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP) /* only for userspace compatibility */ +#ifndef __KERNEL__ /* Generic cache responses from hook functions. <= 0x2000 is used for protocol-flags. */ #define NFC_UNKNOWN 0x4000 @@ -39,6 +40,7 @@ /* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */ #define NF_VERDICT_BITS 16 +#endif enum nf_inet_hooks { NF_INET_PRE_ROUTING, @@ -49,11 +51,17 @@ enum nf_inet_hooks { NF_INET_NUMHOOKS }; +enum nf_dev_hooks { + NF_NETDEV_INGRESS, + NF_NETDEV_NUMHOOKS +}; + enum { NFPROTO_UNSPEC = 0, NFPROTO_INET = 1, NFPROTO_IPV4 = 2, NFPROTO_ARP = 3, + NFPROTO_NETDEV = 5, NFPROTO_BRIDGE = 7, NFPROTO_IPV6 = 10, NFPROTO_DECNET = 12, diff --git a/include/rule.h b/include/rule.h index 5d445993..604de14d 100644 --- a/include/rule.h +++ b/include/rule.h @@ -113,6 +113,7 @@ enum chain_flags { * @priority: hook priority (base chains) * @policy: default chain policy (base chains) * @type: chain type + * @dev: device (if any) * @rules: rules contained in the chain */ struct chain { @@ -125,6 +126,7 @@ struct chain { int priority; int policy; const char *type; + const char *dev; struct scope scope; struct list_head rules; }; |