kor-elf
57948fb639
- Introduced `input_priority`, `output_priority`, and `forward_priority` options in `firewall.toml`. - Updated `chains` and chain creation functions to include priority handling. - Added validation for priority values to ensure they remain within the acceptable range (-50 to 50). - Adjusted `reloadInput`, `reloadOutput`, and `reloadForward` to respect priority settings.
49 lines
1.0 KiB
Go
49 lines
1.0 KiB
Go
package chain
|
|
|
|
import (
|
|
nft "git.kor-elf.net/kor-elf-shield/go-nftables-client"
|
|
nftChain "git.kor-elf.net/kor-elf-shield/go-nftables-client/chain"
|
|
"git.kor-elf.net/kor-elf-shield/go-nftables-client/family"
|
|
)
|
|
|
|
type Output interface {
|
|
AddRule(expr ...string) error
|
|
}
|
|
|
|
type output struct {
|
|
nft nft.NFT
|
|
family family.Type
|
|
table string
|
|
chain string
|
|
}
|
|
|
|
func newOutput(nft nft.NFT, family family.Type, table string, chain string, defaultAllow bool, priority int) (Output, error) {
|
|
policy := nftChain.PolicyDrop
|
|
if defaultAllow {
|
|
policy = nftChain.PolicyAccept
|
|
}
|
|
|
|
baseChain := nftChain.BaseChainOptions{
|
|
Type: nftChain.TypeFilter,
|
|
Hook: nftChain.HookOutput,
|
|
Priority: int32(priority),
|
|
Policy: policy,
|
|
Device: "",
|
|
}
|
|
|
|
if err := nft.Chain().Add(family, table, chain, baseChain); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &output{
|
|
nft: nft,
|
|
family: family,
|
|
table: table,
|
|
chain: chain,
|
|
}, nil
|
|
}
|
|
|
|
func (c *output) AddRule(expr ...string) error {
|
|
return c.nft.Rule().Add(c.family, c.table, c.chain, expr...)
|
|
}
|