diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-08-02 12:32:52 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-08-06 13:13:06 +0200 |
| commit | b98fee20bfe23c787ff1f00660a205865eb8bb95 (patch) | |
| tree | 52e70f1f823246ebfe5771a06fb7b2ab75f886fc /src/parser_bison.y | |
| parent | 874c70f98d38caac51328e69d81eefa6cca8b438 (diff) | |
mnl: revisit hook listing
Update this command to display the hook datapath for a packet depending
on its family.
This patch also includes:
- Group of existing hooks based on the hook location.
- Order hooks by priority, from INT_MIN to INT_MAX.
- Do not add sign to priority zero.
- Refresh include/linux/netfilter/nfnetlink_hook.h cache copy.
- Use NFNLA_CHAIN_* attributes to print the chain family, table and name.
If NFNLA_CHAIN_* attributes are not available, display the hookfn name.
- Update syntax: remove optional hook parameter, promote the 'device'
argument.
The following example shows the hook datapath for IPv4 packets coming in
from netdevice 'eth0':
# nft list hooks ip device eth0
family ip {
hook ingress {
+0000000010 chain netdev x y [nf_tables]
+0000000300 chain inet m w [nf_tables]
}
hook input {
-0000000100 chain ip a b [nf_tables]
+0000000300 chain inet m z [nf_tables]
}
hook forward {
-0000000225 selinux_ipv4_forward
0000000000 chain ip a c [nf_tables]
}
hook output {
-0000000225 selinux_ipv4_output
}
hook postrouting {
+0000000225 selinux_ipv4_postroute
}
}
Note that the listing above includes the existing netdev and inet
hooks/chains which *might* interfer in the travel of an incoming IPv4
packet. This allows users to debug the pipeline, basically, to
understand in what order the hooks/chains are evaluated for the IPv4
packets.
If the netdevice is not specified, then the ingress hooks are not
shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
| -rw-r--r-- | src/parser_bison.y | 25 |
1 files changed, 5 insertions, 20 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index b83ac9a2..83f0250a 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1474,11 +1474,7 @@ list_cmd : TABLE table_spec } ; -basehook_device_name : /* NULL */ - { - $$ = NULL; - } - | DEVICE STRING +basehook_device_name : DEVICE STRING { $$ = $2; } @@ -1488,22 +1484,11 @@ basehook_spec : ruleset_spec { $$ = $1; } - | ruleset_spec STRING basehook_device_name + | ruleset_spec basehook_device_name { - const char *name = chain_hookname_lookup($2); - - if (name == NULL) { - erec_queue(error(&@2, "unknown chain hook"), - state->msgs); - xfree($3); - YYERROR; - } - - $1.chain.name = $2; - $1.chain.location = @2; - if ($3) { - $1.obj.name = $3; - $1.obj.location = @3; + if ($2) { + $1.obj.name = $2; + $1.obj.location = @2; } $$ = $1; } |