diff mbox

[nft,7/9] files: provide 'raw' table equivalent

Message ID 20170314195816.1721-8-fw@strlen.de
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Florian Westphal March 14, 2017, 7:58 p.m. UTC 
useful for the 'ct zone set' statement, it has to be done before
the conntrack lookup but preferrably after the defragmention hook.

In iptables, the functionality resides in the CT target which is
restricted to the raw table.  This provides the skeleton for nft.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 files/nftables/Makefile.am | 4 +++-
 files/nftables/ipv4-raw    | 6 ++++++
 files/nftables/ipv6-raw    | 6 ++++++
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 files/nftables/ipv4-raw
 create mode 100644 files/nftables/ipv6-raw
diff mbox

Patch

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index 1378e2b684f1..a4c7ac7c980b 100644
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -5,9 +5,11 @@  dist_pkgsysconf_DATA =	bridge-filter	\
 			ipv4-filter	\
 			ipv4-mangle	\
 			ipv4-nat	\
+			ipv4-raw	\
 			ipv6-filter	\
 			ipv6-mangle	\
-			ipv6-nat
+			ipv6-nat	\
+			ipv6-raw
 
 install-data-hook:
 	${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw
new file mode 100644
index 000000000000..19773ee8bc3b
--- /dev/null
+++ b/files/nftables/ipv4-raw
@@ -0,0 +1,6 @@ 
+#! @sbindir@nft -f
+
+table raw {
+	chain prerouting	{ type filter hook prerouting priority -300; }
+	chain output		{ type filter hook output priority -300; }
+}
diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw
new file mode 100644
index 000000000000..5ee56a83987e
--- /dev/null
+++ b/files/nftables/ipv6-raw
@@ -0,0 +1,6 @@ 
+#! @sbindir@nft -f
+
+table ip6 raw {
+	chain prerouting	{ type filter hook prerouting priority -300; }
+	chain output		{ type filter hook output priority -300; }
+}