Allow use of the 'forward' Netfilter hook.

PiperOrigin-RevId: 624152407
google · Apr 12, 2024 · f03e6c4 · f03e6c4
1 parent 54b0189
commit f03e6c4
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 3 deletions.
diff --git a/capirca/lib/nftables.py b/capirca/lib/nftables.py
@@ -114,7 +114,7 @@ def __init__(self, term, nf_af, nf_hook, verbose=True):
       term: Term data.
       nf_af: nftables table type IPv4 only (ip), IPv6 (ip6) or dual-stack
         (inet).
-      nf_hook: INPUT or OUTPUT (packet processing/direction of traffic).
+      nf_hook: FORWARD, INPUT, or OUTPUT (Netfilter hook to filter on).
       verbose: used for comment handling.
     """
     self.term = term
@@ -605,7 +605,7 @@ class Nftables(aclgenerator.ACLGenerator):
   _PLATFORM = 'nftables'
   SUFFIX = '.nft'
   _HEADER_AF = frozenset(('inet', 'inet6', 'mixed'))
-  _SUPPORTED_HOOKS = frozenset(('input', 'output'))
+  _SUPPORTED_HOOKS = frozenset(('forward', 'input', 'output'))
   _HOOK_PRIORITY_DEFAULT = 0
   _BASE_CHAIN_PREFIX = 'root'
   _LOGGING = set()

diff --git a/tests/lib/nftables_test.py b/tests/lib/nftables_test.py
@@ -61,7 +61,7 @@ def __init__(self, in_dict: dict):
     'source_address',
     'source_address_exclude',
     'source_port',
-    'destination_interface',  # ouput interface
+    'destination_interface',  # output interface
     'translated',  # obj attribute, not token
     'stateless_reply',
 })
@@ -180,6 +180,12 @@ def __init__(self, in_dict: dict):
 }
 """
 
+GOOD_HEADER_4 = """
+header {
+  target:: nftables mixed forward
+}
+"""
+
 DENY_TERM = """
 term deny-term {
   comment:: "Dual-stack IPv4/v6 deny all"
@@ -598,6 +604,21 @@ def testGoodHeader(self):
     )
     self.assertIn('type filter hook input', nft)
 
+  def testForwardHeader(self):
+    nftables.Nftables(
+        policy.ParsePolicy(GOOD_HEADER_4 + GOOD_TERM_1, self.naming), EXP_INFO
+    )
+    nft = str(
+        nftables.Nftables(
+            policy.ParsePolicy(
+                GOOD_HEADER_4 + GOOD_TERM_1 + GOOD_HEADER_2 + IPV6_SRCIP,
+                self.naming,
+            ),
+            EXP_INFO,
+        )
+    )
+    self.assertIn('type filter hook forward', nft)
+
   def testStatefulFirewall(self):
     nftables.Nftables(
         policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming), EXP_INFO