From 6c43069e5f2a55d769ec6d362bc863af906591d0 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 4 Jun 2015 20:58:59 +0200 Subject: src: add netdev family support This patch adds support for the new 'netdev' table. So far, this table allows you to create filter chains from ingress. The following example shows a very simple base configuration with one table that contains a basechain that is attached to the 'eth0': # nft list table netdev filter table netdev filter { chain eth0-ingress { type filter hook ingress device eth0 priority 0; policy accept; } } You can test that this works by adding a simple rule with counters: # nft add rule netdev filter eth0-ingress counter Signed-off-by: Pablo Neira Ayuso --- doc/nft.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'doc') diff --git a/doc/nft.xml b/doc/nft.xml index 8d79016c..d51876cd 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -267,6 +267,14 @@ filter input iif $int_ifs accept + + + + + Netdev address family, handling packets from ingress. + + + @@ -373,6 +381,38 @@ filter input iif $int_ifs accept The bridge address family handles ethernet packets traversing bridge devices. + + Netdev address family + + The Netdev address family handles packets from ingress. + + + + Netdev address family hooks + + + + + + Hook + Description + + + + + ingress + + All packets entering the system are processed by this hook. It is invoked + before layer 3 protocol handlers and it can be used for early filtering and + policing. + + + + +
+ + + @@ -401,6 +441,7 @@ filter input iif $int_ifs accept inet arp bridge + netdev . The inet address family is a dummy family which is used to create @@ -457,6 +498,7 @@ filter input iif $int_ifs accept hook priority policy + device -- cgit v1.2.3