From 4694f7230195bfcff179ed418ddcdd5ff7d5a8e1 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Wed, 27 Jan 2021 14:29:50 +0100 Subject: src: add support for base hook dumping Example output: $ nft list hook ip input family ip hook input { +0000000000 nft_do_chain_inet [nf_tables] # nft table ip filter chain input +0000000010 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain filter_INPUT +0000000100 nf_nat_ipv4_local_in [nf_nat] +2147483647 ipv4_confirm [nf_conntrack] } $ nft list hooks netdev type ingress device lo family netdev hook ingress device lo { +0000000000 nft_do_chain_netdev [nf_tables] } $ nft list hooks inet family ip hook prerouting { -0000000400 ipv4_conntrack_defrag [nf_defrag_ipv4] -0000000300 iptable_raw_hook [iptable_raw] -0000000290 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain raw_PREROUTING -0000000200 ipv4_conntrack_in [nf_conntrack] -0000000140 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain mangle_PREROUTING -0000000100 nf_nat_ipv4_pre_routing [nf_nat] } ... 'nft list hooks' will display everyting except the netdev family via successive dump request for all family:hook combinations. Signed-off-by: Florian Westphal --- src/parser_bison.y | 48 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-) (limited to 'src/parser_bison.y') diff --git a/src/parser_bison.y b/src/parser_bison.y index f6c92feb..136ae105 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -238,6 +238,7 @@ int nft_lex(void *, void *, void *); %token TYPEOF "typeof" %token HOOK "hook" +%token HOOKS "hooks" %token DEVICE "device" %token DEVICES "devices" %token TABLE "table" @@ -632,11 +633,15 @@ int nft_lex(void *, void *, void *); %type set_identifier flowtableid_spec flowtable_identifier obj_identifier %destructor { handle_free(&$$); } set_identifier flowtableid_spec obj_identifier + +%type basehook_spec +%destructor { handle_free(&$$); } basehook_spec + %type family_spec family_spec_explicit %type int_num chain_policy %type extended_prio_spec prio_spec -%type extended_prio_name quota_unit -%destructor { xfree($$); } extended_prio_name quota_unit +%type extended_prio_name quota_unit basehook_device_name +%destructor { xfree($$); } extended_prio_name quota_unit basehook_device_name %type dev_spec %destructor { xfree($$); } dev_spec @@ -1456,6 +1461,45 @@ list_cmd : TABLE table_spec { $$ = cmd_alloc(CMD_LIST, $2, &$4, &@$, NULL); } + | HOOKS basehook_spec + { + $$ = cmd_alloc(CMD_LIST, CMD_OBJ_HOOKS, &$2, &@$, NULL); + } + ; + +basehook_device_name : /* NULL */ + { + $$ = NULL; + } + | DEVICE STRING + { + $$ = $2; + } + ; + +basehook_spec : ruleset_spec + { + $$ = $1; + } + | ruleset_spec STRING basehook_device_name + { + const char *name = chain_hookname_lookup($2); + + if (name == NULL) { + erec_queue(error(&@2, "unknown chain hook"), + state->msgs); + xfree($3); + YYERROR; + } + + $1.chain.name = $2; + $1.chain.location = @2; + if ($3) { + $1.obj.name = $3; + $1.obj.location = @3; + } + $$ = $1; + } ; reset_cmd : COUNTERS ruleset_spec -- cgit v1.2.3