* [nftables tool v2 PATCH 0/4] Easier base chain declaration
@ 2013-09-04 9:50 Tomasz Bursztyka
2013-09-04 9:50 ` [nftables tool v2 PATCH 1/4] src: Wrap netfilter hooks around human readable strings Tomasz Bursztyka
` (3 more replies)
0 siblings, 4 replies; 11+ messages in thread
From: Tomasz Bursztyka @ 2013-09-04 9:50 UTC (permalink / raw)
To: netfilter-devel; +Cc: Tomasz Bursztyka
Same patchset as before (minus bug fix which got applied already) applying comments.
Now chain's hook names are validated at parsing stage, and their scope is checked at
evaluation thus the error can be reported on the command line properly.
Rest is same as before, just refactored a bit the type checking.
Tomasz Bursztyka (4):
src: Wrap netfilter hooks around human readable strings
src: Ensure given base chain type is a valid one
src: Add priority keyword on base chain description
tests: Update bate chain creation according to latest syntax changes
include/rule.h | 4 +++
src/evaluate.c | 44 +++++++++++++++++++++++++
src/parser.y | 39 +++++++++++++++++-----
src/rule.c | 95 ++++++++++++++++++++++++++++++++++++++++++++---------
src/scanner.l | 6 ----
tests/dictionary | 2 +-
tests/expr-ct | 2 +-
tests/expr-meta | 2 +-
tests/family-bridge | 2 +-
tests/family-ipv4 | 2 +-
tests/family-ipv6 | 2 +-
tests/obj-chain | 2 +-
tests/payload-ll | 2 +-
tests/set | 2 +-
tests/stmt-log | 2 +-
tests/verdict-maps | 2 +-
16 files changed, 169 insertions(+), 41 deletions(-)
--
1.8.3.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [nftables tool v2 PATCH 1/4] src: Wrap netfilter hooks around human readable strings
2013-09-04 9:50 [nftables tool v2 PATCH 0/4] Easier base chain declaration Tomasz Bursztyka
@ 2013-09-04 9:50 ` Tomasz Bursztyka
2013-09-04 10:44 ` Pablo Neira Ayuso
2013-09-04 9:50 ` [nftables tool v2 PATCH 2/4] src: Ensure given base chain type is a valid one Tomasz Bursztyka
` (2 subsequent siblings)
3 siblings, 1 reply; 11+ messages in thread
From: Tomasz Bursztyka @ 2013-09-04 9:50 UTC (permalink / raw)
To: netfilter-devel; +Cc: Tomasz Bursztyka
This allows to use unique, human readable, hook names for the command
line and let the user being unaware of the complex netfilter's hook
names and there difference depending on the netfilter family.
So:
add chain foo bar { type route hook NF_INET_LOCAL_IN 0; }
becomes:
add chain foo bar { type route hook input 0; }
It also fixes then the difference in hook values between families.
I.e. ARP family has different values for input, forward and output
compared to IPv4, IPv6 or BRIDGE.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
include/rule.h | 3 +++
src/evaluate.c | 44 ++++++++++++++++++++++++++++++++++
src/parser.y | 21 +++++++++++++----
src/rule.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++-----------
src/scanner.l | 6 -----
5 files changed, 123 insertions(+), 25 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index 4f68431..14a3958 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -98,6 +98,7 @@ enum chain_flags {
* @handle: chain handle
* @location: location the chain was defined at
* @flags: chain flags
+ * @hookstr: unified and human readable hook name (base chains)
* @hooknum: hook number (base chains)
* @priority: hook priority (base chains)
* @type: chain type
@@ -108,6 +109,7 @@ struct chain {
struct handle handle;
struct location location;
uint32_t flags;
+ const char *hookstr;
unsigned int hooknum;
unsigned int priority;
const char *type;
@@ -115,6 +117,7 @@ struct chain {
struct list_head rules;
};
+extern const char *chain_hook_name_lookup(const char *name);
extern struct chain *chain_alloc(const char *name);
extern void chain_free(struct chain *chain);
extern void chain_add_hash(struct chain *chain, struct table *table);
diff --git a/src/evaluate.c b/src/evaluate.c
index 85c647e..470e141 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -14,6 +14,8 @@
#include <stdint.h>
#include <string.h>
#include <arpa/inet.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_arp.h>
#include <linux/netfilter/nf_tables.h>
#include <expression.h>
@@ -54,6 +56,8 @@ static int __fmtstring(4, 5) __stmt_binary_error(struct eval_ctx *ctx,
__stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args)
#define stmt_binary_error(ctx, s1, s2, fmt, args...) \
__stmt_binary_error(ctx, &(s1)->location, &(s2)->location, fmt, ## args)
+#define chain_error(ctx, s1, fmt, args...) \
+ __stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args)
static int __fmtstring(3, 4) set_error(struct eval_ctx *ctx,
const struct set *set,
@@ -1247,10 +1251,50 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
return 0;
}
+static uint32_t hookname2nfhook(uint32_t family, const char *hook)
+{
+ switch (family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_BRIDGE:
+ case NFPROTO_IPV6:
+ /* All these 3 families share actually
+ * the same values for each hook */
+ if (!strcmp(hook, "prerouting"))
+ return NF_INET_PRE_ROUTING;
+ else if (!strcmp(hook, "in"))
+ return NF_INET_LOCAL_IN;
+ else if (!strcmp(hook, "forward"))
+ return NF_INET_FORWARD;
+ else if (!strcmp(hook, "postrouting"))
+ return NF_INET_POST_ROUTING;
+ return NF_INET_LOCAL_OUT;
+ case NFPROTO_ARP:
+ if (!strcmp(hook, "in"))
+ return NF_ARP_IN;
+ else if (!strcmp(hook, "forward"))
+ return NF_ARP_FORWARD;
+ else if (!strcmp(hook, "out"))
+ return NF_ARP_OUT;
+ default:
+ break;
+ }
+
+ return NF_INET_NUMHOOKS;
+}
+
static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
{
struct rule *rule;
+ if (chain->flags & CHAIN_F_BASECHAIN) {
+ chain->hooknum = hookname2nfhook(chain->handle.family,
+ chain->hookstr);
+ if (chain->hooknum == NF_INET_NUMHOOKS)
+ return chain_error(ctx, chain,
+ "Chain cannot use hook %s",
+ chain->hookstr);
+ }
+
list_for_each_entry(rule, &chain->rules, list) {
handle_merge(&rule->handle, &chain->handle);
if (rule_evaluate(ctx, rule) < 0)
diff --git a/src/parser.y b/src/parser.y
index f0eb8e3..771b194 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -155,7 +155,6 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token DEFINE "define"
%token HOOK "hook"
-%token <val> HOOKNUM "hooknum"
%token TABLE "table"
%token TABLES "tables"
%token CHAIN "chain"
@@ -550,6 +549,7 @@ add_cmd : TABLE table_spec
| CHAIN chain_spec chain_block_alloc
'{' chain_block '}'
{
+ $5->location = @5;
handle_merge(&$3->handle, &$2);
close_scope(state);
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_CHAIN, &$2, &@$, $5);
@@ -667,6 +667,7 @@ table_block : /* empty */ { $$ = $<table>-1; }
chain_block_alloc '{' chain_block '}'
stmt_seperator
{
+ $4->location = @3;
handle_merge(&$4->handle, &$3);
handle_free(&$3);
close_scope(state);
@@ -766,17 +767,27 @@ map_block : /* empty */ { $$ = $<set>-1; }
}
;
-hook_spec : TYPE STRING HOOK HOOKNUM NUM
+hook_spec : TYPE STRING HOOK STRING NUM
{
$<chain>0->type = $2;
- $<chain>0->hooknum = $4;
+ $<chain>0->hookstr = chain_hook_name_lookup($4);
+ if ($<chain>0->hookstr == NULL) {
+ erec_queue(error(&@4, "unknown hook name %s", $4),
+ state->msgs);
+ YYERROR;
+ }
$<chain>0->priority = $5;
$<chain>0->flags |= CHAIN_F_BASECHAIN;
}
- | TYPE STRING HOOK HOOKNUM DASH NUM
+ | TYPE STRING HOOK STRING DASH NUM
{
$<chain>0->type = $2;
- $<chain>0->hooknum = $4;
+ $<chain>0->hookstr = chain_hook_name_lookup($4);
+ if ($<chain>0->hookstr == NULL) {
+ erec_queue(error(&@4, "unknown hook name %s", $4),
+ state->msgs);
+ YYERROR;
+ }
$<chain>0->priority = -$6;
$<chain>0->flags |= CHAIN_F_BASECHAIN;
}
diff --git a/src/rule.c b/src/rule.c
index 73054ba..1b1e5d4 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -21,6 +21,7 @@
#include <netinet/ip.h>
#include <linux/netfilter.h>
+#include <linux/netfilter_arp.h>
void handle_free(struct handle *h)
{
@@ -189,6 +190,27 @@ struct symbol *symbol_lookup(const struct scope *scope, const char *identifier)
return NULL;
}
+static const char *chain_hook_name_str_array[] = {
+ "prerouting",
+ "in",
+ "forward",
+ "postrouting",
+ "out",
+ NULL,
+};
+
+const char *chain_hook_name_lookup(const char *name)
+{
+ int i;
+
+ for (i = 0; chain_hook_name_str_array[i]; i++) {
+ if (!strcmp(name, chain_hook_name_str_array[i]))
+ return chain_hook_name_str_array[i];
+ }
+
+ return NULL;
+}
+
struct chain *chain_alloc(const char *name)
{
struct chain *chain;
@@ -228,20 +250,43 @@ struct chain *chain_lookup(const struct table *table, const struct handle *h)
return NULL;
}
-static const char *hooknum2str_array[NF_INET_NUMHOOKS] = {
- [NF_INET_PRE_ROUTING] = "NF_INET_PRE_ROUTING",
- [NF_INET_LOCAL_IN] = "NF_INET_LOCAL_IN",
- [NF_INET_FORWARD] = "NF_INET_FORWARD",
- [NF_INET_LOCAL_OUT] = "NF_INET_LOCAL_OUT",
- [NF_INET_POST_ROUTING] = "NF_INET_POST_ROUTING",
-};
-
-static const char *hooknum2str(unsigned int hooknum)
-{
- if (hooknum >= NF_INET_NUMHOOKS)
- return "UNKNOWN";
+static const char *hooknum2str(unsigned int family, unsigned int hooknum)
+{
+ switch (family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_BRIDGE:
+ case NFPROTO_IPV6:
+ switch (hooknum) {
+ case NF_INET_PRE_ROUTING:
+ return "prerouting";
+ case NF_INET_LOCAL_IN:
+ return "in";
+ case NF_INET_FORWARD:
+ return "forward";
+ case NF_INET_POST_ROUTING:
+ return "postrouting";
+ case NF_INET_LOCAL_OUT:
+ return "out";
+ default:
+ break;
+ };
+ break;
+ case NFPROTO_ARP:
+ switch (hooknum) {
+ case NF_ARP_IN:
+ return "in";
+ case NF_ARP_FORWARD:
+ return "forward";
+ case NF_ARP_OUT:
+ return "out";
+ default:
+ break;
+ }
+ default:
+ break;
+ };
- return hooknum2str_array[hooknum];
+ return "UNKNOWN";
}
static void chain_print(const struct chain *chain)
@@ -251,7 +296,8 @@ static void chain_print(const struct chain *chain)
printf("\tchain %s {\n", chain->handle.chain);
if (chain->flags & CHAIN_F_BASECHAIN) {
printf("\t\t type %s hook %s %u;\n", chain->type,
- hooknum2str(chain->hooknum), chain->priority);
+ hooknum2str(chain->handle.family, chain->hooknum),
+ chain->priority);
}
list_for_each_entry(rule, &chain->rules, list) {
printf("\t\t");
diff --git a/src/scanner.l b/src/scanner.l
index 59e0aac..cee6aa6 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -212,12 +212,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"=>" { return ARROW; }
"vmap" { return VMAP; }
-"NF_INET_PRE_ROUTING" { yylval->val = NF_INET_PRE_ROUTING; return HOOKNUM; }
-"NF_INET_LOCAL_IN" { yylval->val = NF_INET_LOCAL_IN; return HOOKNUM; }
-"NF_INET_FORWARD" { yylval->val = NF_INET_FORWARD; return HOOKNUM; }
-"NF_INET_LOCAL_OUT" { yylval->val = NF_INET_LOCAL_OUT; return HOOKNUM; }
-"NF_INET_POST_ROUTING" { yylval->val = NF_INET_POST_ROUTING; return HOOKNUM; }
-
"include" { return INCLUDE; }
"define" { return DEFINE; }
--
1.8.3.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [nftables tool v2 PATCH 2/4] src: Ensure given base chain type is a valid one
2013-09-04 9:50 [nftables tool v2 PATCH 0/4] Easier base chain declaration Tomasz Bursztyka
2013-09-04 9:50 ` [nftables tool v2 PATCH 1/4] src: Wrap netfilter hooks around human readable strings Tomasz Bursztyka
@ 2013-09-04 9:50 ` Tomasz Bursztyka
2013-09-04 10:45 ` Pablo Neira Ayuso
2013-09-04 9:50 ` [nftables tool v2 PATCH 3/4] src: Add priority keyword on base chain description Tomasz Bursztyka
2013-09-04 9:50 ` [nftables tool v2 PATCH 4/4] tests: Update bate chain creation according to latest syntax changes Tomasz Bursztyka
3 siblings, 1 reply; 11+ messages in thread
From: Tomasz Bursztyka @ 2013-09-04 9:50 UTC (permalink / raw)
To: netfilter-devel; +Cc: Tomasz Bursztyka
It verifies at command line parsing that given type is "filter", "nat",
or "route".
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
include/rule.h | 1 +
src/parser.y | 14 ++++++++++++--
src/rule.c | 19 +++++++++++++++++++
3 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index 14a3958..c6fca3c 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -117,6 +117,7 @@ struct chain {
struct list_head rules;
};
+extern const char *chain_type_name_lookup(const char *name);
extern const char *chain_hook_name_lookup(const char *name);
extern struct chain *chain_alloc(const char *name);
extern void chain_free(struct chain *chain);
diff --git a/src/parser.y b/src/parser.y
index 771b194..73a52d4 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -769,7 +769,12 @@ map_block : /* empty */ { $$ = $<set>-1; }
hook_spec : TYPE STRING HOOK STRING NUM
{
- $<chain>0->type = $2;
+ $<chain>0->type = chain_type_name_lookup($2);
+ if ($<chain>0->type == NULL) {
+ erec_queue(error(&@2, "unknown type name %s", $2),
+ state->msgs);
+ YYERROR;
+ }
$<chain>0->hookstr = chain_hook_name_lookup($4);
if ($<chain>0->hookstr == NULL) {
erec_queue(error(&@4, "unknown hook name %s", $4),
@@ -781,7 +786,12 @@ hook_spec : TYPE STRING HOOK STRING NUM
}
| TYPE STRING HOOK STRING DASH NUM
{
- $<chain>0->type = $2;
+ $<chain>0->type = chain_type_name_lookup($2);
+ if ($<chain>0->type == NULL) {
+ erec_queue(error(&@2, "unknown type name %s", $2),
+ state->msgs);
+ YYERROR;
+ }
$<chain>0->hookstr = chain_hook_name_lookup($4);
if ($<chain>0->hookstr == NULL) {
erec_queue(error(&@4, "unknown hook name %s", $4),
diff --git a/src/rule.c b/src/rule.c
index 1b1e5d4..37dcc8c 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -190,6 +190,25 @@ struct symbol *symbol_lookup(const struct scope *scope, const char *identifier)
return NULL;
}
+static const char *chain_type_str_array[] = {
+ "filter",
+ "nat",
+ "route",
+ NULL,
+};
+
+const char *chain_type_name_lookup(const char *name)
+{
+ int i;
+
+ for (i = 0; chain_type_str_array[i]; i++) {
+ if (!strcmp(name, chain_type_str_array[i]))
+ return chain_type_str_array[i];
+ }
+
+ return NULL;
+}
+
static const char *chain_hook_name_str_array[] = {
"prerouting",
"in",
--
1.8.3.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [nftables tool v2 PATCH 3/4] src: Add priority keyword on base chain description
2013-09-04 9:50 [nftables tool v2 PATCH 0/4] Easier base chain declaration Tomasz Bursztyka
2013-09-04 9:50 ` [nftables tool v2 PATCH 1/4] src: Wrap netfilter hooks around human readable strings Tomasz Bursztyka
2013-09-04 9:50 ` [nftables tool v2 PATCH 2/4] src: Ensure given base chain type is a valid one Tomasz Bursztyka
@ 2013-09-04 9:50 ` Tomasz Bursztyka
2013-09-04 10:46 ` Pablo Neira Ayuso
2013-09-04 9:50 ` [nftables tool v2 PATCH 4/4] tests: Update bate chain creation according to latest syntax changes Tomasz Bursztyka
3 siblings, 1 reply; 11+ messages in thread
From: Tomasz Bursztyka @ 2013-09-04 9:50 UTC (permalink / raw)
To: netfilter-devel; +Cc: Tomasz Bursztyka
Instead of:
add chain foo bar { type route hook input 0; }
it should be now:
add chain foo bar { type route hook input priority 0; }
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
src/parser.y | 8 ++++----
src/rule.c | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/parser.y b/src/parser.y
index 73a52d4..25da452 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -767,7 +767,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
}
;
-hook_spec : TYPE STRING HOOK STRING NUM
+hook_spec : TYPE STRING HOOK STRING PRIORITY NUM
{
$<chain>0->type = chain_type_name_lookup($2);
if ($<chain>0->type == NULL) {
@@ -781,10 +781,10 @@ hook_spec : TYPE STRING HOOK STRING NUM
state->msgs);
YYERROR;
}
- $<chain>0->priority = $5;
+ $<chain>0->priority = $6;
$<chain>0->flags |= CHAIN_F_BASECHAIN;
}
- | TYPE STRING HOOK STRING DASH NUM
+ | TYPE STRING HOOK STRING PRIORITY DASH NUM
{
$<chain>0->type = chain_type_name_lookup($2);
if ($<chain>0->type == NULL) {
@@ -798,7 +798,7 @@ hook_spec : TYPE STRING HOOK STRING NUM
state->msgs);
YYERROR;
}
- $<chain>0->priority = -$6;
+ $<chain>0->priority = -$7;
$<chain>0->flags |= CHAIN_F_BASECHAIN;
}
;
diff --git a/src/rule.c b/src/rule.c
index 37dcc8c..56592e8 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -314,7 +314,7 @@ static void chain_print(const struct chain *chain)
printf("\tchain %s {\n", chain->handle.chain);
if (chain->flags & CHAIN_F_BASECHAIN) {
- printf("\t\t type %s hook %s %u;\n", chain->type,
+ printf("\t\t type %s hook %s priority %u;\n", chain->type,
hooknum2str(chain->handle.family, chain->hooknum),
chain->priority);
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [nftables tool v2 PATCH 4/4] tests: Update bate chain creation according to latest syntax changes
2013-09-04 9:50 [nftables tool v2 PATCH 0/4] Easier base chain declaration Tomasz Bursztyka
` (2 preceding siblings ...)
2013-09-04 9:50 ` [nftables tool v2 PATCH 3/4] src: Add priority keyword on base chain description Tomasz Bursztyka
@ 2013-09-04 9:50 ` Tomasz Bursztyka
2013-09-04 10:46 ` Pablo Neira Ayuso
3 siblings, 1 reply; 11+ messages in thread
From: Tomasz Bursztyka @ 2013-09-04 9:50 UTC (permalink / raw)
To: netfilter-devel; +Cc: Tomasz Bursztyka
Adding type, plain hook's name and priority keyword.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
tests/dictionary | 2 +-
tests/expr-ct | 2 +-
tests/expr-meta | 2 +-
tests/family-bridge | 2 +-
tests/family-ipv4 | 2 +-
tests/family-ipv6 | 2 +-
tests/obj-chain | 2 +-
tests/payload-ll | 2 +-
tests/set | 2 +-
tests/stmt-log | 2 +-
tests/verdict-maps | 2 +-
11 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/tests/dictionary b/tests/dictionary
index aad9ebe..4193529 100644
--- a/tests/dictionary
+++ b/tests/dictionary
@@ -1,7 +1,7 @@
#! nft -f
#
add table ip filter
-add chain ip filter output { hook NF_INET_LOCAL_OUT 0 ; }
+add chain ip filter output { type filter hook output priority 0 ; }
add chain ip filter chain1
add rule ip filter chain1 counter
diff --git a/tests/expr-ct b/tests/expr-ct
index 39f1777..1dfc7ac 100644
--- a/tests/expr-ct
+++ b/tests/expr-ct
@@ -1,7 +1,7 @@
#! nft -f
add table ip filter
-add chain ip filter output { hook NF_INET_LOCAL_OUT 0 ; }
+add chain ip filter output { type filter hook output priority 0 ; }
# ct: state
add rule ip filter output ct state new,established counter
diff --git a/tests/expr-meta b/tests/expr-meta
index da16ae4..360caa7 100644
--- a/tests/expr-meta
+++ b/tests/expr-meta
@@ -1,7 +1,7 @@
#! nft -f
add table ip filter
-add chain ip filter output { hook NF_INET_LOCAL_OUT 0 ; }
+add chain ip filter output { type filter hook output priority 0 ; }
# meta: skb len
add rule ip filter output meta length 1000 counter
diff --git a/tests/family-bridge b/tests/family-bridge
index 98b7885..c87c832 100644
--- a/tests/family-bridge
+++ b/tests/family-bridge
@@ -1,7 +1,7 @@
#! nft -f
add table bridge filter
-add chain bridge filter output { hook NF_INET_LOCAL_OUT 0 ; }
+add chain bridge filter output { type filter hook output priority 0 ; }
# LL protocol
add rule bridge filter output eth type 0x0800 counter
diff --git a/tests/family-ipv4 b/tests/family-ipv4
index e744f02..0700e16 100644
--- a/tests/family-ipv4
+++ b/tests/family-ipv4
@@ -5,7 +5,7 @@ delete chain ip filter output
delete table filter
add table ip filter
-add chain ip filter output { hook NF_INET_LOCAL_IN 0; }
+add chain ip filter output { type filter hook input priority 0; }
# IP address
add rule ip filter output ip daddr 192.168.0.1 counter
diff --git a/tests/family-ipv6 b/tests/family-ipv6
index e76b2ce..cfc740c 100644
--- a/tests/family-ipv6
+++ b/tests/family-ipv6
@@ -1,7 +1,7 @@
#! nft -f
add table ip6 filter
-add chain ip6 filter output { hook NF_INET_LOCAL_OUT 0 ; }
+add chain ip6 filter output { type filter hook output priority 0 ; }
# IP address
add rule ip6 filter output ip6 daddr 2001:6f8:974::1 counter
diff --git a/tests/obj-chain b/tests/obj-chain
index f5094bb..2bce026 100644
--- a/tests/obj-chain
+++ b/tests/obj-chain
@@ -7,7 +7,7 @@ add chain filter testchain
delete chain filter testchain
# chains: add and delete base chain
-add chain filter input { hook NF_INET_LOCAL_OUT 0 ; }
+add chain filter input { type filter hook input priority 0 ; }
delete chain filter input
# chains: can not delete chain while referenced
diff --git a/tests/payload-ll b/tests/payload-ll
index feaf587..7f5660b 100644
--- a/tests/payload-ll
+++ b/tests/payload-ll
@@ -1,7 +1,7 @@
#! nft -f
add table ip filter
-add chain ip filter input NF_INET_LOCAL_IN 0
+add chain ip filter input { type filter hook input priority 0; }
# mac source
add rule ip filter input @ll,48,48 00:15:e9:f0:10:f8 counter
diff --git a/tests/set b/tests/set
index e2d8e49..3c040b0 100644
--- a/tests/set
+++ b/tests/set
@@ -1,7 +1,7 @@
#! nft -f
add table filter
-add chain filter output { hook NF_INET_LOCAL_OUT 0 ; }
+add chain filter output { type filter hook output priority 0 ; }
# set: IP addresses
add rule filter output ip daddr { \
diff --git a/tests/stmt-log b/tests/stmt-log
index 2153772..2ae7aae 100644
--- a/tests/stmt-log
+++ b/tests/stmt-log
@@ -1,6 +1,6 @@
#! nft -f
add table ip filter
-add chain ip filter output NF_INET_LOCAL_OUT 0
+add chain ip filter output { type filter hook output priority 0; }
add rule ip filter output log saddr "prefix" group 0 counter
diff --git a/tests/verdict-maps b/tests/verdict-maps
index 25b60d1..72ef98f 100644
--- a/tests/verdict-maps
+++ b/tests/verdict-maps
@@ -2,7 +2,7 @@
#
add table ip filter
-add chain ip filter input { hook NF_INET_LOCAL_IN 0; }
+add chain ip filter input { type filter hook input priority 0; }
add chain ip filter chain1
add filter chain1 counter
--
1.8.3.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [nftables tool v2 PATCH 1/4] src: Wrap netfilter hooks around human readable strings
2013-09-04 9:50 ` [nftables tool v2 PATCH 1/4] src: Wrap netfilter hooks around human readable strings Tomasz Bursztyka
@ 2013-09-04 10:44 ` Pablo Neira Ayuso
0 siblings, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-04 10:44 UTC (permalink / raw)
To: Tomasz Bursztyka; +Cc: netfilter-devel
On Wed, Sep 04, 2013 at 12:50:19PM +0300, Tomasz Bursztyka wrote:
> This allows to use unique, human readable, hook names for the command
> line and let the user being unaware of the complex netfilter's hook
> names and there difference depending on the netfilter family.
>
> So:
> add chain foo bar { type route hook NF_INET_LOCAL_IN 0; }
>
> becomes:
> add chain foo bar { type route hook input 0; }
>
> It also fixes then the difference in hook values between families.
> I.e. ARP family has different values for input, forward and output
> compared to IPv4, IPv6 or BRIDGE.
Applied with changes.
> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
> ---
> include/rule.h | 3 +++
> src/evaluate.c | 44 ++++++++++++++++++++++++++++++++++
> src/parser.y | 21 +++++++++++++----
> src/rule.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++-----------
> src/scanner.l | 6 -----
> 5 files changed, 123 insertions(+), 25 deletions(-)
>
> diff --git a/include/rule.h b/include/rule.h
> index 4f68431..14a3958 100644
> --- a/include/rule.h
> +++ b/include/rule.h
> @@ -98,6 +98,7 @@ enum chain_flags {
> * @handle: chain handle
> * @location: location the chain was defined at
> * @flags: chain flags
> + * @hookstr: unified and human readable hook name (base chains)
> * @hooknum: hook number (base chains)
> * @priority: hook priority (base chains)
> * @type: chain type
> @@ -108,6 +109,7 @@ struct chain {
> struct handle handle;
> struct location location;
> uint32_t flags;
> + const char *hookstr;
> unsigned int hooknum;
> unsigned int priority;
> const char *type;
> @@ -115,6 +117,7 @@ struct chain {
> struct list_head rules;
> };
>
> +extern const char *chain_hook_name_lookup(const char *name);
> extern struct chain *chain_alloc(const char *name);
> extern void chain_free(struct chain *chain);
> extern void chain_add_hash(struct chain *chain, struct table *table);
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 85c647e..470e141 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -14,6 +14,8 @@
> #include <stdint.h>
> #include <string.h>
> #include <arpa/inet.h>
> +#include <linux/netfilter.h>
> +#include <linux/netfilter_arp.h>
> #include <linux/netfilter/nf_tables.h>
>
> #include <expression.h>
> @@ -54,6 +56,8 @@ static int __fmtstring(4, 5) __stmt_binary_error(struct eval_ctx *ctx,
> __stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args)
> #define stmt_binary_error(ctx, s1, s2, fmt, args...) \
> __stmt_binary_error(ctx, &(s1)->location, &(s2)->location, fmt, ## args)
> +#define chain_error(ctx, s1, fmt, args...) \
> + __stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args)
>
> static int __fmtstring(3, 4) set_error(struct eval_ctx *ctx,
> const struct set *set,
> @@ -1247,10 +1251,50 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
> return 0;
> }
>
> +static uint32_t hookname2nfhook(uint32_t family, const char *hook)
> +{
> + switch (family) {
> + case NFPROTO_IPV4:
> + case NFPROTO_BRIDGE:
> + case NFPROTO_IPV6:
> + /* All these 3 families share actually
> + * the same values for each hook */
> + if (!strcmp(hook, "prerouting"))
> + return NF_INET_PRE_ROUTING;
> + else if (!strcmp(hook, "in"))
"input"
> + return NF_INET_LOCAL_IN;
> + else if (!strcmp(hook, "forward"))
> + return NF_INET_FORWARD;
> + else if (!strcmp(hook, "postrouting"))
> + return NF_INET_POST_ROUTING;
> + return NF_INET_LOCAL_OUT;
better explicitly check for "output" and fall back to error otherwise.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [nftables tool v2 PATCH 2/4] src: Ensure given base chain type is a valid one
2013-09-04 9:50 ` [nftables tool v2 PATCH 2/4] src: Ensure given base chain type is a valid one Tomasz Bursztyka
@ 2013-09-04 10:45 ` Pablo Neira Ayuso
2013-09-04 11:29 ` Tomasz Bursztyka
0 siblings, 1 reply; 11+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-04 10:45 UTC (permalink / raw)
To: Tomasz Bursztyka; +Cc: netfilter-devel
On Wed, Sep 04, 2013 at 12:50:20PM +0300, Tomasz Bursztyka wrote:
> It verifies at command line parsing that given type is "filter", "nat",
> or "route".
The kernel will just bail out if we pass an invalid chain type.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [nftables tool v2 PATCH 3/4] src: Add priority keyword on base chain description
2013-09-04 9:50 ` [nftables tool v2 PATCH 3/4] src: Add priority keyword on base chain description Tomasz Bursztyka
@ 2013-09-04 10:46 ` Pablo Neira Ayuso
0 siblings, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-04 10:46 UTC (permalink / raw)
To: Tomasz Bursztyka; +Cc: netfilter-devel
On Wed, Sep 04, 2013 at 12:50:21PM +0300, Tomasz Bursztyka wrote:
> Instead of:
> add chain foo bar { type route hook input 0; }
>
> it should be now:
> add chain foo bar { type route hook input priority 0; }
Applied, thanks.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [nftables tool v2 PATCH 4/4] tests: Update bate chain creation according to latest syntax changes
2013-09-04 9:50 ` [nftables tool v2 PATCH 4/4] tests: Update bate chain creation according to latest syntax changes Tomasz Bursztyka
@ 2013-09-04 10:46 ` Pablo Neira Ayuso
0 siblings, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-04 10:46 UTC (permalink / raw)
To: Tomasz Bursztyka; +Cc: netfilter-devel
On Wed, Sep 04, 2013 at 12:50:22PM +0300, Tomasz Bursztyka wrote:
> Adding type, plain hook's name and priority keyword.
Also applied, thanks.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [nftables tool v2 PATCH 2/4] src: Ensure given base chain type is a valid one
2013-09-04 10:45 ` Pablo Neira Ayuso
@ 2013-09-04 11:29 ` Tomasz Bursztyka
2013-09-05 9:03 ` Pablo Neira Ayuso
0 siblings, 1 reply; 11+ messages in thread
From: Tomasz Bursztyka @ 2013-09-04 11:29 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Hi Pablo,
>> It verifies at command line parsing that given type is "filter", "nat",
>> >or "route".
> The kernel will just bail out if we pass an invalid chain type.
Sure, however I thought it would be nice to avoid one useless kernel
call. (and the error is still possible to locate at that point)
Tomasz
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [nftables tool v2 PATCH 2/4] src: Ensure given base chain type is a valid one
2013-09-04 11:29 ` Tomasz Bursztyka
@ 2013-09-05 9:03 ` Pablo Neira Ayuso
0 siblings, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-05 9:03 UTC (permalink / raw)
To: Tomasz Bursztyka; +Cc: netfilter-devel
On Wed, Sep 04, 2013 at 02:29:38PM +0300, Tomasz Bursztyka wrote:
> Hi Pablo,
>
> >>It verifies at command line parsing that given type is "filter", "nat",
> >>>or "route".
> >The kernel will just bail out if we pass an invalid chain type.
>
> Sure, however I thought it would be nice to avoid one useless kernel
> call. (and the error is still possible to locate at that point)
I was trying to avoid the need for updating nft if we ever have a new
chain type, but that's unlikely to happen and users get better error
reporting with this patch.
I have applied it, thanks.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2013-09-05 9:03 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-04 9:50 [nftables tool v2 PATCH 0/4] Easier base chain declaration Tomasz Bursztyka
2013-09-04 9:50 ` [nftables tool v2 PATCH 1/4] src: Wrap netfilter hooks around human readable strings Tomasz Bursztyka
2013-09-04 10:44 ` Pablo Neira Ayuso
2013-09-04 9:50 ` [nftables tool v2 PATCH 2/4] src: Ensure given base chain type is a valid one Tomasz Bursztyka
2013-09-04 10:45 ` Pablo Neira Ayuso
2013-09-04 11:29 ` Tomasz Bursztyka
2013-09-05 9:03 ` Pablo Neira Ayuso
2013-09-04 9:50 ` [nftables tool v2 PATCH 3/4] src: Add priority keyword on base chain description Tomasz Bursztyka
2013-09-04 10:46 ` Pablo Neira Ayuso
2013-09-04 9:50 ` [nftables tool v2 PATCH 4/4] tests: Update bate chain creation according to latest syntax changes Tomasz Bursztyka
2013-09-04 10:46 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).