return NF_INET_NUMHOOKS;
switch (family) {
+ case NFPROTO_INET:
+ if (!strcmp(hook, "ingress"))
+ return NF_INET_INGRESS;
case NFPROTO_IPV4:
case NFPROTO_BRIDGE:
case NFPROTO_IPV6:
- case NFPROTO_INET:
/* These families have overlapping values for each hook */
if (!strcmp(hook, "prerouting"))
return NF_INET_PRE_ROUTING;
expr_name(chain->policy));
}
- if (chain->handle.family == NFPROTO_NETDEV) {
+ if (chain->handle.family == NFPROTO_NETDEV ||
+ (chain->handle.family == NFPROTO_INET &&
+ chain->hook.num == NF_INET_INGRESS)) {
if (!chain->dev_expr)
return __stmt_binary_error(ctx, &chain->loc, NULL,
"Missing `device' in this chain definition");
--- /dev/null
+#!/bin/bash
+
+set -e
+
+RULESET="table inet filter {
+ chain ingress {
+ type filter hook ingress device \"lo\" priority filter; policy accept;
+ }
+ chain input {
+ type filter hook input priority filter; policy accept;
+ }
+ chain forward {
+ type filter hook forward priority filter; policy accept;
+ }
+}"
+
+$NFT -f - <<< "$RULESET" && exit 0
+exit 1
--- /dev/null
+table inet filter {
+ chain ingress {
+ type filter hook ingress device \"lo\" priority filter; policy accept;
+ }
+ chain input {
+ type filter hook input priority filter; policy accept;
+ }
+ chain forward {
+ type filter hook forward priority filter; policy accept;
+ }
+}
projects / thirdparty / nftables.git / commitdiff
