Re: [PATCH nft] src: add netdev family support

[Pablo Neira Ayuso]

On Tue, May 26, 2015 at 06:52:04PM +0200, Patrick McHardy wrote:
 On 25.05, Pablo Neira Ayuso wrote:
  diff --git a/include/rule.h b/include/rule.h
  index 97959f7..06ec2ff 100644
  --- a/include/rule.h
  +++ b/include/rule.h
  @@ -72,6 +72,7 @@ enum table_flags {
*
* @list:  list node
* @handle:table handle
  + * @dev:   network device name (only for netdev family)
* @location:  location the table was defined at
* @chains:chains contained in the table
* @sets:  sets contained in the table
  @@ -80,6 +81,7 @@ enum table_flags {
   struct table {
  struct list_headlist;
  struct handle   handle;
  +   const char  *dev;
 
 I think this logically belongs into struct handle itself.

Thanks Patrick, I'll move this to the handle.
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] src: add netdev family support

[Patrick McHardy]

On 25.05, Pablo Neira Ayuso wrote:
 diff --git a/include/rule.h b/include/rule.h
 index 97959f7..06ec2ff 100644
 --- a/include/rule.h
 +++ b/include/rule.h
 @@ -72,6 +72,7 @@ enum table_flags {
   *
   * @list:list node
   * @handle:  table handle
 + * @dev: network device name (only for netdev family)
   * @location:location the table was defined at
   * @chains:  chains contained in the table
   * @sets:sets contained in the table
 @@ -80,6 +81,7 @@ enum table_flags {
  struct table {
   struct list_headlist;
   struct handle   handle;
 + const char  *dev;

I think this logically belongs into struct handle itself.
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft] src: add netdev family support

[Pablo Neira Ayuso]

This patch adds support for the new 'netdev' table. So far, this table allows
you to create filter chains from ingress.

The following example shows a very simple base configuration with one table that
is bound to device 'eth0' with a single ingress chain:

 # nft list table netdev eth0
 table netdev eth0 {
device eth0;

chain ingress {
type filter hook ingress priority 0; policy accept;
}
 }

The selected table name is 'eth0' but you could have selected any name.

You can test that this works by adding a simple rule with counters:

 # nft add rule netdev eth0 ingress counter

or a bit more elaborated test like:

 http://people.netfilter.org/pablo/nft-ingress.ruleset

More information will be available at the nftables documentation site [1].

[1] http://wiki.nftables.org/

Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
 doc/nft.xml   |   41 +
 include/linux/netfilter.h |8 
 include/rule.h|2 ++
 src/evaluate.c|4 
 src/netlink.c |   11 +--
 src/parser_bison.y|7 +++
 src/payload.c |1 +
 src/proto.c   |1 +
 src/rule.c|   23 +++
 src/scanner.l |2 ++
 10 files changed, 98 insertions(+), 2 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 8d79016..1172c43 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -267,6 +267,14 @@ filter input iif $int_ifs accept
/para
/listitem
/varlistentry
+   varlistentry
+   termoptionnetdev/option/term
+   listitem
+   para
+   Netdev address family, 
handling packets from ingress.
+   /para
+   /listitem
+   /varlistentry
/variablelist
/para
para
@@ -373,6 +381,38 @@ filter input iif $int_ifs accept
The bridge address family handles ethernet 
packets traversing bridge devices.
/para
/refsect2
+   refsect2
+   titleNetdev address family/title
+   para
+   The Netdev address family handles packets from 
ingress.
+   /para
+   para
+   table frame=all
+   titleNetdev address family 
hooks/title
+   tgroup cols='2' align='left' 
colsep='1' rowsep='1' pgwide=1
+   colspec colname='c1' 
colwidth=1*/
+   colspec colname='c2' 
colwidth=5*/
+   thead
+   row
+   
entryHook/entry
+   
entryDescription/entry
+   /row
+   /thead
+   tbody
+   row
+   
entryingress/entry
+   entry
+   All 
packets entering the system are processed by this hook. It is invoked
+   before 
layer 3 protocol handlers and it can be used for early filtering and
+   
policing.
+   /entry
+   /row
+   /tbody
+   /tgroup
+   /table
+   /para
+   /refsect2
+
/refsect1
 
refsect1
@@ -401,6 +441,7 @@ filter input iif $int_ifs accept
memberliteralinet/literal/member
memberliteralarp/literal/member
memberliteralbridge/literal/member
+   memberliteralnetdev/literal/member
/simplelist.
 
The literalinet/literal address family is a dummy 
family which is used to