From c330152b7f7779f15dba3e0862bf5616e7cb3eab Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 4 Jul 2020 02:43:44 +0200
Subject: src: support for implicit chain bindings

This patch allows you to group rules in a subchain, e.g.

 table inet x {
        chain y {
                type filter hook input priority 0;
                tcp dport 22 jump {
                        ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
                        ip6 saddr ::1/128 accept;
                }
        }
 }

This also supports for the `goto' chain verdict.

This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.

From the shell, you have to use the explicit separator ';', in bash you
have to escape this:

 # nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/chains/0041chain_binding_0       | 18 ++++++++++++++++++
 .../testcases/chains/dumps/0041chain_binding_0.nft     | 12 ++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100755 tests/shell/testcases/chains/0041chain_binding_0
 create mode 100644 tests/shell/testcases/chains/dumps/0041chain_binding_0.nft

(limited to 'tests/shell/testcases/chains')

diff --git a/tests/shell/testcases/chains/0041chain_binding_0 b/tests/shell/testcases/chains/0041chain_binding_0
new file mode 100755
index 00000000..59bdbe9f
--- /dev/null
+++ b/tests/shell/testcases/chains/0041chain_binding_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table inet x {
+        chain y {
+                type filter hook input priority 0;
+                meta l4proto { tcp, udp } th dport 53 jump {
+                        ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter accept
+                        ip6 saddr ::1/128 counter accept
+                }
+        }
+}"
+
+$NFT -f - <<< $EXPECTED
+$NFT add rule inet x y meta l4proto icmpv6 jump { counter accept\; }
+$NFT add rule inet x y meta l4proto sctp jump { drop\; }
+$NFT delete rule inet x y handle 13
diff --git a/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft
new file mode 100644
index 00000000..520203d8
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft
@@ -0,0 +1,12 @@
+table inet x {
+	chain y {
+		type filter hook input priority filter; policy accept;
+		meta l4proto { tcp, udp } th dport 53 jump {
+			ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter packets 0 bytes 0 accept
+			ip6 saddr ::1 counter packets 0 bytes 0 accept
+		}
+		meta l4proto ipv6-icmp jump {
+			counter packets 0 bytes 0 accept
+		}
+	}
+}
-- 
cgit v1.2.3