|
 |
bacbc8 |
From fbccf77429c4f1fccd48a201369402e33bea91c6 Mon Sep 17 00:00:00 2001
|
|
|
bacbc8 |
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
bacbc8 |
Date: Wed, 26 Sep 2018 16:23:19 +0200
|
|
|
bacbc8 |
Subject: [PATCH] netlink: remove markup json parsing code
|
|
|
bacbc8 |
|
|
|
bacbc8 |
We have better json support these days, remove libnftnl json support.
|
|
|
bacbc8 |
|
|
|
bacbc8 |
While at it, remove test file for this too.
|
|
|
bacbc8 |
|
|
|
bacbc8 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
bacbc8 |
(cherry picked from commit 276c452e47c5e22b3af06a051aa2908521aeba66)
|
|
|
bacbc8 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
bacbc8 |
---
|
|
|
bacbc8 |
src/netlink.c | 276 +-----------------
|
|
|
bacbc8 |
tests/shell/testcases/import/vm_json_import_0 | 53 ----
|
|
|
bacbc8 |
2 files changed, 2 insertions(+), 327 deletions(-)
|
|
|
bacbc8 |
delete mode 100755 tests/shell/testcases/import/vm_json_import_0
|
|
|
bacbc8 |
|
|
|
bacbc8 |
diff --git a/src/netlink.c b/src/netlink.c
|
|
|
bacbc8 |
index c178be3c9ee26..0509a06b3d2b3 100644
|
|
|
bacbc8 |
--- a/src/netlink.c
|
|
|
bacbc8 |
+++ b/src/netlink.c
|
|
|
bacbc8 |
@@ -1970,280 +1970,8 @@ int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type,
|
|
|
bacbc8 |
return MNL_CB_OK;
|
|
|
bacbc8 |
}
|
|
|
bacbc8 |
|
|
|
bacbc8 |
-static int netlink_markup_setelems(const struct nftnl_parse_ctx *ctx)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- const struct ruleset_parse *rp;
|
|
|
bacbc8 |
- struct nftnl_set *set;
|
|
|
bacbc8 |
- uint32_t cmd;
|
|
|
bacbc8 |
- int ret = -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- set = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_SET);
|
|
|
bacbc8 |
- rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- cmd = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_CMD);
|
|
|
bacbc8 |
- switch (cmd) {
|
|
|
bacbc8 |
- case NFTNL_CMD_ADD:
|
|
|
bacbc8 |
- ret = mnl_nft_setelem_batch_add(set, rp->nl_ctx->batch,
|
|
|
bacbc8 |
- 0, rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_DELETE:
|
|
|
bacbc8 |
- ret = mnl_nft_setelem_batch_del(set, rp->nl_ctx->batch,
|
|
|
bacbc8 |
- 0, rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- default:
|
|
|
bacbc8 |
- errno = EOPNOTSUPP;
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return ret;
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-static int netlink_markup_set(const struct nftnl_parse_ctx *ctx)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- const struct ruleset_parse *rp;
|
|
|
bacbc8 |
- struct nftnl_set *set;
|
|
|
bacbc8 |
- uint32_t cmd;
|
|
|
bacbc8 |
- int ret = -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- set = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_SET);
|
|
|
bacbc8 |
- rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- cmd = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_CMD);
|
|
|
bacbc8 |
- switch (cmd) {
|
|
|
bacbc8 |
- case NFTNL_CMD_ADD:
|
|
|
bacbc8 |
- ret = mnl_nft_set_batch_add(set, rp->nl_ctx->batch, NLM_F_EXCL,
|
|
|
bacbc8 |
- rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_DELETE:
|
|
|
bacbc8 |
- ret = mnl_nft_set_batch_del(set, rp->nl_ctx->batch,
|
|
|
bacbc8 |
- 0, rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- default:
|
|
|
bacbc8 |
- errno = EOPNOTSUPP;
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- if (ret < 0)
|
|
|
bacbc8 |
- return ret;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return netlink_markup_setelems(ctx);
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-static int netlink_markup_build_rule(const struct nftnl_parse_ctx *ctx,
|
|
|
bacbc8 |
- uint32_t cmd, struct nftnl_rule *rule)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- const struct ruleset_parse *rp;
|
|
|
bacbc8 |
- uint32_t nl_flags;
|
|
|
bacbc8 |
- int ret = -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- switch (cmd) {
|
|
|
bacbc8 |
- case NFTNL_CMD_ADD:
|
|
|
bacbc8 |
- nl_flags = NLM_F_APPEND | NLM_F_CREATE;
|
|
|
bacbc8 |
- nftnl_rule_unset(rule, NFTNL_RULE_HANDLE);
|
|
|
bacbc8 |
- ret = mnl_nft_rule_batch_add(rule, rp->nl_ctx->batch, nl_flags,
|
|
|
bacbc8 |
- rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_DELETE:
|
|
|
bacbc8 |
- ret = mnl_nft_rule_batch_del(rule, rp->nl_ctx->batch,
|
|
|
bacbc8 |
- 0, rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_REPLACE:
|
|
|
bacbc8 |
- nl_flags = NLM_F_REPLACE;
|
|
|
bacbc8 |
- ret = mnl_nft_rule_batch_add(rule, rp->nl_ctx->batch, nl_flags,
|
|
|
bacbc8 |
- rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_INSERT:
|
|
|
bacbc8 |
- nl_flags = NLM_F_CREATE;
|
|
|
bacbc8 |
- nftnl_rule_unset(rule, NFTNL_RULE_HANDLE);
|
|
|
bacbc8 |
- ret = mnl_nft_rule_batch_add(rule, rp->nl_ctx->batch, nl_flags,
|
|
|
bacbc8 |
- rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- default:
|
|
|
bacbc8 |
- errno = EOPNOTSUPP;
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return ret;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-static int netlink_markup_rule(const struct nftnl_parse_ctx *ctx)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- struct nftnl_rule *rule;
|
|
|
bacbc8 |
- uint32_t cmd;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- cmd = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_CMD);
|
|
|
bacbc8 |
- rule = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_RULE);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return netlink_markup_build_rule(ctx, cmd, rule);
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-static int netlink_markup_build_flush(const struct nftnl_parse_ctx *ctx)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- struct nftnl_rule *rule;
|
|
|
bacbc8 |
- struct nftnl_table *table;
|
|
|
bacbc8 |
- struct nftnl_chain *chain;
|
|
|
bacbc8 |
- const char *table_get_name, *table_get_family;
|
|
|
bacbc8 |
- const char *chain_get_table, *chain_get_name, *chain_get_family;
|
|
|
bacbc8 |
- uint32_t type;
|
|
|
bacbc8 |
- int ret = -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- rule = nftnl_rule_alloc();
|
|
|
bacbc8 |
- if (rule == NULL)
|
|
|
bacbc8 |
- return -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- type = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_TYPE);
|
|
|
bacbc8 |
- switch (type) {
|
|
|
bacbc8 |
- case NFTNL_RULESET_TABLE:
|
|
|
bacbc8 |
- table = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_TABLE);
|
|
|
bacbc8 |
- table_get_name = nftnl_table_get(table, NFTNL_TABLE_NAME);
|
|
|
bacbc8 |
- table_get_family = nftnl_table_get(table, NFTNL_TABLE_FAMILY);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- nftnl_rule_set(rule, NFTNL_RULE_TABLE, table_get_name);
|
|
|
bacbc8 |
- nftnl_rule_set(rule, NFTNL_RULE_FAMILY, table_get_family);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_RULESET_CHAIN:
|
|
|
bacbc8 |
- chain = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_CHAIN);
|
|
|
bacbc8 |
- chain_get_table = nftnl_chain_get(chain, NFTNL_CHAIN_TABLE);
|
|
|
bacbc8 |
- chain_get_name = nftnl_chain_get(chain, NFTNL_CHAIN_NAME);
|
|
|
bacbc8 |
- chain_get_family = nftnl_chain_get(chain, NFTNL_TABLE_FAMILY);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- nftnl_rule_set(rule, NFTNL_RULE_TABLE, chain_get_table);
|
|
|
bacbc8 |
- nftnl_rule_set(rule, NFTNL_RULE_CHAIN, chain_get_name);
|
|
|
bacbc8 |
- nftnl_rule_set(rule, NFTNL_RULE_FAMILY, chain_get_family);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- default:
|
|
|
bacbc8 |
- errno = EOPNOTSUPP;
|
|
|
bacbc8 |
- goto err;
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- ret = netlink_markup_build_rule(ctx, NFTNL_CMD_DELETE, rule);
|
|
|
bacbc8 |
-err:
|
|
|
bacbc8 |
- nftnl_rule_free(rule);
|
|
|
bacbc8 |
- return ret;
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-static int netlink_markup_chain(const struct nftnl_parse_ctx *ctx)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- const struct ruleset_parse *rp;
|
|
|
bacbc8 |
- struct nftnl_chain *chain;
|
|
|
bacbc8 |
- uint32_t cmd;
|
|
|
bacbc8 |
- int ret = -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- chain = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_CHAIN);
|
|
|
bacbc8 |
- rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- nftnl_chain_unset(chain, NFTNL_CHAIN_HANDLE);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- cmd = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_CMD);
|
|
|
bacbc8 |
- switch (cmd) {
|
|
|
bacbc8 |
- case NFTNL_CMD_ADD:
|
|
|
bacbc8 |
- ret = mnl_nft_chain_batch_add(chain, rp->nl_ctx->batch,
|
|
|
bacbc8 |
- 0, rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_DELETE:
|
|
|
bacbc8 |
- ret = mnl_nft_chain_batch_del(chain, rp->nl_ctx->batch,
|
|
|
bacbc8 |
- 0, rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_FLUSH:
|
|
|
bacbc8 |
- ret = netlink_markup_build_flush(ctx);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- default:
|
|
|
bacbc8 |
- errno = EOPNOTSUPP;
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return ret;
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-static int netlink_markup_build_table(const struct nftnl_parse_ctx *ctx,
|
|
|
bacbc8 |
- uint32_t cmd, struct nftnl_table *table)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- struct ruleset_parse *rp;
|
|
|
bacbc8 |
- int ret = -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- switch (cmd) {
|
|
|
bacbc8 |
- case NFTNL_CMD_ADD:
|
|
|
bacbc8 |
- ret = mnl_nft_table_batch_add(table, rp->nl_ctx->batch,
|
|
|
bacbc8 |
- 0, rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_DELETE:
|
|
|
bacbc8 |
- ret = mnl_nft_table_batch_del(table, rp->nl_ctx->batch,
|
|
|
bacbc8 |
- 0, rp->nl_ctx->seqnum);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_CMD_FLUSH:
|
|
|
bacbc8 |
- ret = netlink_markup_build_flush(ctx);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- default:
|
|
|
bacbc8 |
- errno = EOPNOTSUPP;
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return ret;
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-static int netlink_markup_table(const struct nftnl_parse_ctx *ctx)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- struct nftnl_table *table;
|
|
|
bacbc8 |
- uint32_t cmd;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- cmd = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_CMD);
|
|
|
bacbc8 |
- table = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_TABLE);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return netlink_markup_build_table(ctx, cmd, table);
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-static int netlink_markup_flush(const struct nftnl_parse_ctx *ctx)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- struct nftnl_table *table;
|
|
|
bacbc8 |
- int ret;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- table = nftnl_table_alloc();
|
|
|
bacbc8 |
- if (table == NULL)
|
|
|
bacbc8 |
- return -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- ret = netlink_markup_build_table(ctx, NFTNL_CMD_DELETE, table);
|
|
|
bacbc8 |
- nftnl_table_free(table);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return ret;
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
int netlink_markup_parse_cb(const struct nftnl_parse_ctx *ctx)
|
|
|
bacbc8 |
{
|
|
|
bacbc8 |
- uint32_t type;
|
|
|
bacbc8 |
- int ret = -1;
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- type = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_TYPE);
|
|
|
bacbc8 |
- switch (type) {
|
|
|
bacbc8 |
- case NFTNL_RULESET_TABLE:
|
|
|
bacbc8 |
- ret = netlink_markup_table(ctx);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_RULESET_CHAIN:
|
|
|
bacbc8 |
- ret = netlink_markup_chain(ctx);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_RULESET_RULE:
|
|
|
bacbc8 |
- ret = netlink_markup_rule(ctx);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_RULESET_SET:
|
|
|
bacbc8 |
- ret = netlink_markup_set(ctx);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_RULESET_SET_ELEMS:
|
|
|
bacbc8 |
- ret = netlink_markup_setelems(ctx);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- case NFTNL_RULESET_RULESET:
|
|
|
bacbc8 |
- ret = netlink_markup_flush(ctx);
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- default:
|
|
|
bacbc8 |
- errno = EOPNOTSUPP;
|
|
|
bacbc8 |
- break;
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- nftnl_ruleset_ctx_free(ctx);
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- return ret;
|
|
|
bacbc8 |
+ errno = EOPNOTSUPP;
|
|
|
bacbc8 |
+ return -1;
|
|
|
bacbc8 |
}
|
|
|
bacbc8 |
diff --git a/tests/shell/testcases/import/vm_json_import_0 b/tests/shell/testcases/import/vm_json_import_0
|
|
|
bacbc8 |
deleted file mode 100755
|
|
|
bacbc8 |
index 546ccf7ab490f..0000000000000
|
|
|
bacbc8 |
--- a/tests/shell/testcases/import/vm_json_import_0
|
|
|
bacbc8 |
+++ /dev/null
|
|
|
bacbc8 |
@@ -1,53 +0,0 @@
|
|
|
bacbc8 |
-#!/bin/bash
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-RULESET="table ip mangle {
|
|
|
bacbc8 |
- set blackhole {
|
|
|
bacbc8 |
- type ipv4_addr
|
|
|
bacbc8 |
- elements = { 192.168.1.4, 192.168.1.5 }
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
- chain prerouting {
|
|
|
bacbc8 |
- type filter hook prerouting priority 0; policy accept;
|
|
|
bacbc8 |
- tcp dport { ssh, http } accept
|
|
|
bacbc8 |
- ip saddr @blackhole drop
|
|
|
bacbc8 |
- icmp type echo-request accept
|
|
|
bacbc8 |
- iifname \"lo\" accept
|
|
|
bacbc8 |
- icmp type echo-request counter packets 0 bytes 0
|
|
|
bacbc8 |
- ct state established,related accept
|
|
|
bacbc8 |
- tcp flags != syn counter packets 7 bytes 841
|
|
|
bacbc8 |
- ip saddr 192.168.1.100 ip daddr 192.168.1.1 counter packets 0 bytes 0
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-table arp x {
|
|
|
bacbc8 |
- chain y {
|
|
|
bacbc8 |
- arp htype 22
|
|
|
bacbc8 |
- arp ptype ip
|
|
|
bacbc8 |
- arp operation != rrequest
|
|
|
bacbc8 |
- arp operation { request, reply, rrequest, rreply, inrequest, inreply, nak }
|
|
|
bacbc8 |
- arp hlen 33-45
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-table bridge x {
|
|
|
bacbc8 |
- chain y {
|
|
|
bacbc8 |
- type filter hook input priority 0; policy accept;
|
|
|
bacbc8 |
- vlan id 4094
|
|
|
bacbc8 |
- vlan id 4094 vlan cfi 0
|
|
|
bacbc8 |
- vlan id 1 ip saddr 10.0.0.0/23 udp dport domain
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-table ip6 x {
|
|
|
bacbc8 |
- chain y {
|
|
|
bacbc8 |
- type nat hook postrouting priority 0; policy accept;
|
|
|
bacbc8 |
- icmpv6 id 33-45
|
|
|
bacbc8 |
- ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0
|
|
|
bacbc8 |
- meta l4proto tcp masquerade to :1024
|
|
|
bacbc8 |
- iifname \"wlan0\" ct state established,new tcp dport vmap { ssh : drop, 222 : drop } masquerade
|
|
|
bacbc8 |
- tcp dport ssh ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
|
|
|
bacbc8 |
- ip6 daddr fe00::1-fe00::200 udp dport domain counter packets 0 bytes 0 masquerade
|
|
|
bacbc8 |
- }
|
|
|
bacbc8 |
-}"
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
-$NFT -f - <<< "$RULESET"
|
|
|
bacbc8 |
-RULESET_JSON=$($NFT export vm json)
|
|
|
bacbc8 |
-$NFT flush ruleset
|
|
|
bacbc8 |
-$NFT import vm json <<< "$RULESET_JSON"
|
|
|
bacbc8 |
--
|
|
|
bacbc8 |
2.21.0
|
|
|
bacbc8 |
|