From 895f1a6c60cd8a26c8a5174388e05777eff01a88 Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Tue, 12 Mar 2024 15:13:11 +0100 Subject: [PATCH 1/2] chain: add ChainHookEgress NETDEV tables can have egress hooks. Add the definition to enable that case. --- chain.go | 1 + 1 file changed, 1 insertion(+) diff --git a/chain.go b/chain.go index e1bda29..5bc0e49 100644 --- a/chain.go +++ b/chain.go @@ -37,6 +37,7 @@ var ( ChainHookOutput *ChainHook = ChainHookRef(unix.NF_INET_LOCAL_OUT) ChainHookPostrouting *ChainHook = ChainHookRef(unix.NF_INET_POST_ROUTING) ChainHookIngress *ChainHook = ChainHookRef(unix.NF_NETDEV_INGRESS) + ChainHookEgress *ChainHook = ChainHookRef(unix.NF_NETDEV_EGRESS) ) // ChainHookRef returns a pointer to a ChainHookRef value. From 523b56a3521a0388421af001a06bd45bc24c734d Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Tue, 12 Mar 2024 15:14:24 +0100 Subject: [PATCH 2/2] Chain: add 'device' as hook attribute NETDEV tables can specify a device the apply to. Add support for this by augmenting the `Chain` struct. --- chain.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/chain.go b/chain.go index 5bc0e49..8d797be 100644 --- a/chain.go +++ b/chain.go @@ -102,6 +102,7 @@ type Chain struct { Priority *ChainPriority Type ChainType Policy *ChainPolicy + Device string } // AddChain adds the specified Chain. See also @@ -119,6 +120,11 @@ func (cc *Conn) AddChain(c *Chain) *Chain { {Type: unix.NFTA_HOOK_HOOKNUM, Data: binaryutil.BigEndian.PutUint32(uint32(*c.Hooknum))}, {Type: unix.NFTA_HOOK_PRIORITY, Data: binaryutil.BigEndian.PutUint32(uint32(*c.Priority))}, } + + if c.Device != "" { + hookAttr = append(hookAttr, netlink.Attribute{Type: unix.NFTA_HOOK_DEV, Data: []byte(c.Device + "\x00")}) + } + data = append(data, cc.marshalAttr([]netlink.Attribute{ {Type: unix.NLA_F_NESTED | unix.NFTA_CHAIN_HOOK, Data: cc.marshalAttr(hookAttr)}, })...)