Hi,
This patchset extends the netdev family to allow for hooking multiple
devices to basechains, eg.
nft add table netdev x
nft add chain netdev x y { \
type filter hook ingress devices = { eth0, eth1 } priority 0\; }
Hence you can apply the same policy to packet coming in from eth0 and
eth1 netdevices.
1) Add nft_flow_block_chain() helper function.
2) Pass callback list to nft_setup_cb_call().
3) Add nft_flow_cls_offload_setup() helper function.
4) Iterate over list of callbacks that belongs to the netdevices that
is being unregister to remove the rules from the netdevice.
This patches comes in preparation for:
5) Allow for hooking multiple devices to the same netdev basechain.
Pablo Neira Ayuso (5):
netfilter: nf_tables_offload: add nft_flow_block_chain()
netfilter: nf_tables_offload: Pass callback list to nft_setup_cb_call()
netfilter: nf_tables_offload: add nft_flow_cls_offload_setup()
netfilter: nf_tables_offload: remove rules on unregistered device only
netfilter: nf_tables: support for multiple devices per netdev hook
include/net/netfilter/nf_tables.h | 4 +-
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/netfilter/nf_tables_api.c | 296 ++++++++++++++++++++++++-------
net/netfilter/nf_tables_offload.c | 98 ++++++----
net/netfilter/nft_chain_filter.c | 45 +++--
5 files changed, 325 insertions(+), 120 deletions(-)
--
2.11.0
