From c330152b7f7779f15dba3e0862bf5616e7cb3eab Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 4 Jul 2020 02:43:44 +0200
Subject: src: support for implicit chain bindings

This patch allows you to group rules in a subchain, e.g.

 table inet x {
        chain y {
                type filter hook input priority 0;
                tcp dport 22 jump {
                        ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
                        ip6 saddr ::1/128 accept;
                }
        }
 }

This also supports for the `goto' chain verdict.

This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.

From the shell, you have to use the explicit separator ';', in bash you
have to escape this:

 # nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/expression.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include/expression.h')

diff --git a/include/expression.h b/include/expression.h
index 87937a50..0210a3cb 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -249,6 +249,7 @@ struct expr {
 			/* EXPR_VERDICT */
 			int			verdict;
 			struct expr		*chain;
+			uint32_t		chain_id;
 		};
 		struct {
 			/* EXPR_VALUE */
-- 
cgit v1.2.3