git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 19 Apr 2023 09:50:01 +0000 (11:50 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 24 Apr 2023 20:48:42 +0000 (22:48 +0200)
commit	a66b5ad9540dd64c7c67006201b8b3ccf8e4316b
tree	d642bd18f44fa6672a27126c63cc2fb991120423	tree
parent	99b56d4ee1442ccfa0aadde3cb3ecee74a4de815	commit \| diff

src: allow for updating devices on existing netdev chain

This patch allows you to add/remove devices to an existing chain:

# cat ruleset.nft
table netdev x {
chain y {
type filter hook ingress devices = { eth0 } priority 0; policy accept;
}
}
# nft -f ruleset.nft
# nft add chain netdev x y '{ devices = { eth1 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth0, eth1 } priority 0; policy accept;
}
}
# nft delete chain netdev x y '{ devices = { eth0 }; }'
# nft list ruleset
table netdev x {
chain y {
type filter hook ingress devices = { eth1 } priority 0; policy accept;
}
}

This feature allows for creating an empty netdev chain, with no devices.
In such case, no packets are seen until a device is registered.

This patch includes extended netlink error reporting:

# nft add chain netdev x y '{ devices = { x } ; }'
Error: Could not process rule: No such file or directory
add chain netdev x y { devices = { x } ; }
^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/evaluate.c		diff \| blob \| blame \| history
src/mnl.c		diff \| blob \| blame \| history
src/monitor.c		diff \| blob \| blame \| history
src/parser_bison.y		diff \| blob \| blame \| history
src/rule.c		diff \| blob \| blame \| history
tests/shell/testcases/chains/dumps/netdev_chain_0.nft	[new file with mode: 0644]	blob
tests/shell/testcases/chains/netdev_chain_0	[new file with mode: 0755]	blob