diff options
author | Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> | 2013-09-04 12:50:19 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-09-04 12:31:17 +0200 |
commit | 108d9f6b3af0f70459fb7ccc1dfc5452d3f3646e (patch) | |
tree | 69f0d49bbc5e8daf02129b47caeee7ea4457d87b /src/rule.c | |
parent | ffad92b5f34d9960d8c6b1c70041b347634a2a76 (diff) |
src: Wrap netfilter hooks around human readable strings
This allows to use unique, human readable, hook names for the command
line and let the user being unaware of the complex netfilter's hook
names and there difference depending on the netfilter family.
So:
add chain foo bar { type route hook NF_INET_LOCAL_IN 0; }
becomes:
add chain foo bar { type route hook input 0; }
It also fixes then the difference in hook values between families.
I.e. ARP family has different values for input, forward and output
compared to IPv4, IPv6 or bridge.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 74 |
1 files changed, 60 insertions, 14 deletions
@@ -21,6 +21,7 @@ #include <netinet/ip.h> #include <linux/netfilter.h> +#include <linux/netfilter_arp.h> void handle_free(struct handle *h) { @@ -189,6 +190,27 @@ struct symbol *symbol_lookup(const struct scope *scope, const char *identifier) return NULL; } +static const char *chain_hookname_str_array[] = { + "prerouting", + "input", + "forward", + "postrouting", + "output", + NULL, +}; + +const char *chain_hookname_lookup(const char *name) +{ + int i; + + for (i = 0; chain_hookname_str_array[i]; i++) { + if (!strcmp(name, chain_hookname_str_array[i])) + return chain_hookname_str_array[i]; + } + + return NULL; +} + struct chain *chain_alloc(const char *name) { struct chain *chain; @@ -228,20 +250,43 @@ struct chain *chain_lookup(const struct table *table, const struct handle *h) return NULL; } -static const char *hooknum2str_array[NF_INET_NUMHOOKS] = { - [NF_INET_PRE_ROUTING] = "NF_INET_PRE_ROUTING", - [NF_INET_LOCAL_IN] = "NF_INET_LOCAL_IN", - [NF_INET_FORWARD] = "NF_INET_FORWARD", - [NF_INET_LOCAL_OUT] = "NF_INET_LOCAL_OUT", - [NF_INET_POST_ROUTING] = "NF_INET_POST_ROUTING", -}; - -static const char *hooknum2str(unsigned int hooknum) -{ - if (hooknum >= NF_INET_NUMHOOKS) - return "UNKNOWN"; +static const char *hooknum2str(unsigned int family, unsigned int hooknum) +{ + switch (family) { + case NFPROTO_IPV4: + case NFPROTO_BRIDGE: + case NFPROTO_IPV6: + switch (hooknum) { + case NF_INET_PRE_ROUTING: + return "prerouting"; + case NF_INET_LOCAL_IN: + return "input"; + case NF_INET_FORWARD: + return "forward"; + case NF_INET_POST_ROUTING: + return "postrouting"; + case NF_INET_LOCAL_OUT: + return "output"; + default: + break; + }; + break; + case NFPROTO_ARP: + switch (hooknum) { + case NF_ARP_IN: + return "input"; + case NF_ARP_FORWARD: + return "forward"; + case NF_ARP_OUT: + return "output"; + default: + break; + } + default: + break; + }; - return hooknum2str_array[hooknum]; + return "unknown"; } static void chain_print(const struct chain *chain) @@ -251,7 +296,8 @@ static void chain_print(const struct chain *chain) printf("\tchain %s {\n", chain->handle.chain); if (chain->flags & CHAIN_F_BASECHAIN) { printf("\t\t type %s hook %s %u;\n", chain->type, - hooknum2str(chain->hooknum), chain->priority); + hooknum2str(chain->handle.family, chain->hooknum), + chain->priority); } list_for_each_entry(rule, &chain->rules, list) { printf("\t\t"); |