netfilter: nf_tables: convert built-in tables/chains to chain types

This patch converts built-in tables/chains to chain types that allows you to deploy customized table and chain configurations from userspace. After this patch, you have to specify the chain type when creating a new chain: add chain ip filter output { type filter hook input priority 0; } ^^^^ ------ The existing chain types after this patch are: filter, route and nat. Note that tables are just containers of chains with no specific semantics, which is a significant change with regards to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-10 17:21:26 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-14 11:16:11 -0400
commit: 9370761c56b66aa5c65e069a7b010111a025018d (patch)
tree: 0b9080fdb768fc5f8f16c685de605d07347283f9 /include/net
parent: c29b72e02573b8fe5e6cae5d192a6a4772e7bbd6 (diff)
1 files changed, 22 insertions, 9 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 66d0359702c6..8403f7f52e81 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -336,7 +336,6 @@ static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule)
 enum nft_chain_flags {
        NFT_BASE_CHAIN                  = 0x1,
-        NFT_CHAIN_BUILTIN               = 0x2,
 };
 /**
@@ -362,14 +361,23 @@ struct nft_chain {
        char                            name[NFT_CHAIN_MAXNAMELEN];
 };
+enum nft_chain_type {
+        NFT_CHAIN_T_DEFAULT = 0,
+        NFT_CHAIN_T_ROUTE,
+        NFT_CHAIN_T_NAT,
+        NFT_CHAIN_T_MAX
+};
 /**
 *      struct nft_base_chain - nf_tables base chain
 *
 *      @ops: netfilter hook ops
+ *      @type: chain type
 *      @chain: the chain
 */
 struct nft_base_chain {
        struct nf_hook_ops              ops;
+        enum nft_chain_type             type;
        struct nft_chain                chain;
 };
@@ -384,10 +392,6 @@ extern unsigned int nft_do_chain(const struct nf_hook_ops *ops,
                                 const struct net_device *out,
                                 int (*okfn)(struct sk_buff *));
-enum nft_table_flags {
-        NFT_TABLE_BUILTIN               = 0x1,
-};
 /**
 *      struct nft_table - nf_tables table
 *
@@ -431,8 +435,17 @@ struct nft_af_info {
 extern int nft_register_afinfo(struct nft_af_info *);
 extern void nft_unregister_afinfo(struct nft_af_info *);
-extern int nft_register_table(struct nft_table *, int family);
+struct nf_chain_type {
-extern void nft_unregister_table(struct nft_table *, int family);
+        unsigned int            hook_mask;
+        const char              *name;
+        enum nft_chain_type     type;
+        nf_hookfn               *fn[NF_MAX_HOOKS];
+        struct module           *me;
+        int                     family;
+};
+extern int nft_register_chain_type(struct nf_chain_type *);
+extern void nft_unregister_chain_type(struct nf_chain_type *);
 extern int nft_register_expr(struct nft_expr_type *);
 extern void nft_unregister_expr(struct nft_expr_type *);
@@ -440,8 +453,8 @@ extern void nft_unregister_expr(struct nft_expr_type *);
 #define MODULE_ALIAS_NFT_FAMILY(family) \
        MODULE_ALIAS("nft-afinfo-" __stringify(family))
-#define MODULE_ALIAS_NFT_TABLE(family, name) \
+#define MODULE_ALIAS_NFT_CHAIN(family, name) \
-        MODULE_ALIAS("nft-table-" __stringify(family) "-" name)
+        MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
 #define MODULE_ALIAS_NFT_EXPR(name) \
        MODULE_ALIAS("nft-expr-" name)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2013-10-10 17:21:26 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-10-14 11:16:11 -0400
commit	9370761c56b66aa5c65e069a7b010111a025018d (patch)
tree	0b9080fdb768fc5f8f16c685de605d07347283f9 /include/net
parent	c29b72e02573b8fe5e6cae5d192a6a4772e7bbd6 (diff)