From: Eric Leblond Date: Mon, 16 Sep 2013 16:27:37 +0000 (+0200) Subject: Update chain creation format. X-Git-Tag: v0.099~72 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57f844782fa86660ce16b79b485ec34729bce4f7;p=thirdparty%2Fnftables.git Update chain creation format. type keyword is now mandatory when creating a new chain. This patc halso implement the change required following the usage of human notation in hook. It also suppressed non currently supported mangle chains. Signed-off-by: Eric Leblond Signed-off-by: Pablo Neira Ayuso --- diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter index ca306d48..54779c4a 100644 --- a/files/nftables/bridge-filter +++ b/files/nftables/bridge-filter @@ -1,7 +1,7 @@ #! nft -f table bridge filter { - chain input { hook NF_INET_LOCAL_IN -200; } - chain forward { hook NF_INET_FORWARD -200; } - chain output { hook NF_INET_LOCAL_OUT 200; } + chain input { type filter hook input priority -200; } + chain forward { type filter hook forward priority -200; } + chain output { type filter hook output priority 200; } } diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter index 3f962143..3174e7a9 100644 --- a/files/nftables/ipv4-filter +++ b/files/nftables/ipv4-filter @@ -1,7 +1,7 @@ #! nft -f table filter { - chain input { hook NF_INET_LOCAL_IN 0; } - chain forward { hook NF_INET_FORWARD 0; } - chain output { hook NF_INET_LOCAL_OUT 0; } + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } } diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle index 339cacea..27327d3b 100644 --- a/files/nftables/ipv4-mangle +++ b/files/nftables/ipv4-mangle @@ -1,9 +1,5 @@ #! nft -f table mangle { - chain prerouting { hook NF_INET_PRE_ROUTING -150; } - chain input { hook NF_INET_LOCAL_IN -150; } - chain forward { hook NF_INET_FORWARD -150; } - chain output { hook NF_INET_LOCAL_OUT -150; } - chain postrouting { hook NF_INET_POST_ROUTING -150; } + chain output { type route hook output priority -150; } } diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat new file mode 100644 index 00000000..99d69514 --- /dev/null +++ b/files/nftables/ipv4-nat @@ -0,0 +1,6 @@ +#! nft -f + +table nat { + chain prerouting { type nat hook prerouting priority -150; } + chain postrouting { type nat hook postrouting priority -150; } +} diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter index 9e412784..98fce02d 100644 --- a/files/nftables/ipv6-filter +++ b/files/nftables/ipv6-filter @@ -1,7 +1,7 @@ #! nft -f table ip6 filter { - chain input { hook NF_INET_LOCAL_IN 0; } - chain forward { hook NF_INET_FORWARD 0; } - chain output { hook NF_INET_LOCAL_OUT 0; } + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } } diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle index dc18c7a8..72743532 100644 --- a/files/nftables/ipv6-mangle +++ b/files/nftables/ipv6-mangle @@ -1,9 +1,5 @@ #! nft -f table ip6 mangle { - chain prerouting { hook NF_INET_PRE_ROUTING -150; } - chain input { hook NF_INET_LOCAL_IN -150; } - chain forward { hook NF_INET_FORWARD -150; } - chain output { hook NF_INET_LOCAL_OUT -150; } - chain postrouting { hook NF_INET_POST_ROUTING -150; } + chain output { type route hook output priority -150; } } diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat new file mode 100644 index 00000000..33ecf9b6 --- /dev/null +++ b/files/nftables/ipv6-nat @@ -0,0 +1,6 @@ +#! nft -f + +table ip6 nat { + chain prerouting { type nat hook prerouting priority -150; } + chain postrouting { type nat hook postrouting priority -150; } +}