diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/evaluate.c | 4 | ||||
| -rw-r--r-- | src/netlink.c | 7 | ||||
| -rw-r--r-- | src/parser_bison.y | 34 | ||||
| -rw-r--r-- | src/payload.c | 1 | ||||
| -rw-r--r-- | src/proto.c | 1 | ||||
| -rw-r--r-- | src/rule.c | 25 | ||||
| -rw-r--r-- | src/scanner.l | 2 |
7 files changed, 70 insertions, 4 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index d99b38f4..0bf4fecb 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1847,6 +1847,10 @@ static uint32_t str2hooknum(uint32_t family, const char *hook) else if (!strcmp(hook, "output")) return NF_ARP_OUT; break; + case NFPROTO_NETDEV: + if (!strcmp(hook, "ingress")) + return NF_NETDEV_INGRESS; + break; default: break; } diff --git a/src/netlink.c b/src/netlink.c index 1167c951..bef33a1d 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -555,6 +555,9 @@ static int netlink_add_chain_batch(struct netlink_ctx *ctx, if (chain->policy != -1) nft_chain_attr_set_u32(nlc, NFT_CHAIN_ATTR_POLICY, chain->policy); + if (chain->dev != NULL) + nft_chain_attr_set_str(nlc, NFT_CHAIN_ATTR_DEV, + chain->dev); } netlink_dump_chain(nlc); @@ -697,6 +700,10 @@ static struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, xstrdup(nft_chain_attr_get_str(nlc, NFT_CHAIN_ATTR_TYPE)); chain->policy = nft_chain_attr_get_u32(nlc, NFT_CHAIN_ATTR_POLICY); + if (nft_chain_attr_is_set(nlc, NFT_CHAIN_ATTR_DEV)) { + chain->dev = + xstrdup(nft_chain_attr_get_str(nlc, NFT_CHAIN_ATTR_DEV)); + } chain->flags |= CHAIN_F_BASECHAIN; } diff --git a/src/parser_bison.y b/src/parser_bison.y index eac3fcbe..fab4c52e 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -165,6 +165,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token DEFINE "define" %token HOOK "hook" +%token DEVICE "device" %token TABLE "table" %token TABLES "tables" %token CHAIN "chain" @@ -179,6 +180,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token RULESET "ruleset" %token INET "inet" +%token NETDEV "netdev" %token ADD "add" %token UPDATE "update" @@ -1090,6 +1092,37 @@ hook_spec : TYPE STRING HOOK STRING PRIORITY NUM $<chain>0->priority = -$7; $<chain>0->flags |= CHAIN_F_BASECHAIN; } + | TYPE STRING HOOK STRING DEVICE STRING PRIORITY NUM + { + $<chain>0->type = chain_type_name_lookup($2); + if ($<chain>0->type == NULL) { + erec_queue(error(&@2, "unknown chain type %s", $2), + state->msgs); + YYERROR; + } + $<chain>0->hookstr = chain_hookname_lookup($4); + if ($<chain>0->hookstr == NULL) { + erec_queue(error(&@4, "unknown chain hook %s", $4), + state->msgs); + YYERROR; + } + $<chain>0->dev = $6; + $<chain>0->priority = $8; + $<chain>0->flags |= CHAIN_F_BASECHAIN; + } + | TYPE STRING HOOK STRING DEVICE STRING PRIORITY DASH NUM + { + $<chain>0->type = chain_type_name_lookup($2); + if ($<chain>0->type == NULL) { + erec_queue(error(&@2, "unknown type name %s", $2), + state->msgs); + YYERROR; + } + $<chain>0->hookstr = chain_hookname_lookup($4); + $<chain>0->dev = $6; + $<chain>0->priority = -$9; + $<chain>0->flags |= CHAIN_F_BASECHAIN; + } ; policy_spec : POLICY chain_policy @@ -1137,6 +1170,7 @@ family_spec_explicit : IP { $$ = NFPROTO_IPV4; } | INET { $$ = NFPROTO_INET; } | ARP { $$ = NFPROTO_ARP; } | BRIDGE { $$ = NFPROTO_BRIDGE; } + | NETDEV { $$ = NFPROTO_NETDEV; } ; table_spec : family_spec identifier diff --git a/src/payload.c b/src/payload.c index 08578fd8..1a9d4917 100644 --- a/src/payload.c +++ b/src/payload.c @@ -215,6 +215,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, } break; case NFPROTO_BRIDGE: + case NFPROTO_NETDEV: switch (expr->payload.base) { case PROTO_BASE_LL_HDR: desc = &proto_eth; diff --git a/src/proto.c b/src/proto.c index 6302016c..d40caebc 100644 --- a/src/proto.c +++ b/src/proto.c @@ -123,6 +123,7 @@ const struct proto_desc *proto_dev_desc(uint16_t type) const struct hook_proto_desc hook_proto_desc[] = { [NFPROTO_BRIDGE] = HOOK_PROTO_DESC(PROTO_BASE_LL_HDR, &proto_eth), + [NFPROTO_NETDEV] = HOOK_PROTO_DESC(PROTO_BASE_LL_HDR, &proto_eth), [NFPROTO_INET] = HOOK_PROTO_DESC(PROTO_BASE_LL_HDR, &proto_inet), [NFPROTO_IPV4] = HOOK_PROTO_DESC(PROTO_BASE_NETWORK_HDR, &proto_ip), [NFPROTO_IPV6] = HOOK_PROTO_DESC(PROTO_BASE_NETWORK_HDR, &proto_ip6), @@ -333,6 +333,7 @@ static const char *chain_hookname_str_array[] = { "forward", "postrouting", "output", + "ingress", NULL, }; @@ -398,6 +399,8 @@ const char *family2str(unsigned int family) return "ip6"; case NFPROTO_INET: return "inet"; + case NFPROTO_NETDEV: + return "netdev"; case NFPROTO_ARP: return "arp"; case NFPROTO_BRIDGE: @@ -441,6 +444,13 @@ static const char *hooknum2str(unsigned int family, unsigned int hooknum) default: break; } + break; + case NFPROTO_NETDEV: + switch (hooknum) { + case NF_NETDEV_INGRESS: + return "ingress"; + } + break; default: break; }; @@ -465,10 +475,17 @@ static void chain_print(const struct chain *chain) printf("\tchain %s {\n", chain->handle.chain); if (chain->flags & CHAIN_F_BASECHAIN) { - printf("\t\ttype %s hook %s priority %d; policy %s;\n", - chain->type, - hooknum2str(chain->handle.family, chain->hooknum), - chain->priority, chain_policy2str(chain->policy)); + if (chain->dev != NULL) { + printf("\t\ttype %s hook %s device %s priority %d;\n", + chain->type, + hooknum2str(chain->handle.family, chain->hooknum), + chain->dev, chain->priority); + } else { + printf("\t\ttype %s hook %s priority %d;\n", + chain->type, + hooknum2str(chain->handle.family, chain->hooknum), + chain->priority); + } } list_for_each_entry(rule, &chain->rules, list) { printf("\t\t"); diff --git a/src/scanner.l b/src/scanner.l index 985ea2a3..2d9871d0 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -233,6 +233,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "describe" { return DESCRIBE; } "hook" { return HOOK; } +"device" { return DEVICE; } "table" { return TABLE; } "tables" { return TABLES; } "chain" { return CHAIN; } @@ -255,6 +256,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "to" { return TO; } "inet" { return INET; } +"netdev" { return NETDEV; } "add" { return ADD; } "update" { return UPDATE; } |