These keys are available since kernel >= 4.17.
You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta
protocol' in first place to provide layer 3 context.
Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations.
This patch is implicitly fixing these cases.
If your kernel is < 4.17, you can still use address matching via
explicit meta nfproto:
meta nfproto ipv4 ct original saddr 1.2.3.4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
}
extern struct expr *ct_expr_alloc(const struct location *loc,
- enum nft_ct_keys key, int8_t direction,
- uint8_t nfproto);
+ enum nft_ct_keys key, int8_t direction);
extern void ct_expr_update_type(struct proto_ctx *ctx, struct expr *expr);
extern struct stmt *notrack_stmt_alloc(const struct location *loc);
BYTEORDER_HOST_ENDIAN, 16),
[NFT_CT_EVENTMASK] = CT_TEMPLATE("event", &ct_event_type,
BYTEORDER_HOST_ENDIAN, 32),
+ [NFT_CT_SRC_IP] = CT_TEMPLATE("ip saddr", &ipaddr_type,
+ BYTEORDER_BIG_ENDIAN, 0),
+ [NFT_CT_DST_IP] = CT_TEMPLATE("ip daddr", &ipaddr_type,
+ BYTEORDER_BIG_ENDIAN, 0),
+ [NFT_CT_SRC_IP6] = CT_TEMPLATE("ip6 saddr", &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN, 0),
+ [NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN, 0),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
};
struct expr *ct_expr_alloc(const struct location *loc, enum nft_ct_keys key,
- int8_t direction, uint8_t nfproto)
+ int8_t direction)
{
const struct ct_template *tmpl = &ct_templates[key];
struct expr *expr;
tmpl->byteorder, tmpl->len);
expr->ct.key = key;
expr->ct.direction = direction;
- expr->ct.nfproto = nfproto;
switch (key) {
case NFT_CT_SRC:
break;
datatype_set(expr, &inet_service_type);
break;
+ case NFT_CT_SRC_IP:
+ case NFT_CT_DST_IP:
+ expr->dtype = &ipaddr_type;
+ expr->len = expr->dtype->size;
+ break;
+ case NFT_CT_SRC_IP6:
+ case NFT_CT_DST_IP6:
+ expr->dtype = &ip6addr_type;
+ expr->len = expr->dtype->size;
+ break;
default:
break;
}
return 0;
}
- left = ct_expr_alloc(&ct->location, NFT_CT_L3PROTOCOL, ct->ct.direction, ct->ct.nfproto);
+ left = ct_expr_alloc(&ct->location, NFT_CT_L3PROTOCOL, ct->ct.direction);
right = constant_expr_alloc(&ct->location, left->dtype,
left->dtype->byteorder, left->len,
*/
static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr)
{
+ const struct proto_desc *base, *error;
struct expr *ct = *expr;
+ base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+
switch (ct->ct.key) {
case NFT_CT_SRC:
case NFT_CT_DST:
ct_gen_nh_dependency(ctx, ct);
break;
+ case NFT_CT_SRC_IP:
+ case NFT_CT_DST_IP:
+ if (base == &proto_ip6) {
+ error = &proto_ip;
+ goto err_conflict;
+ }
+ break;
+ case NFT_CT_SRC_IP6:
+ case NFT_CT_DST_IP6:
+ if (base == &proto_ip) {
+ error = &proto_ip6;
+ goto err_conflict;
+ }
+ break;
default:
break;
}
ct_expr_update_type(&ctx->pctx, ct);
return expr_evaluate_primary(ctx, expr);
+
+err_conflict:
+ return stmt_binary_error(ctx, ct,
+ &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
+ "conflicting protocols specified: %s vs. %s",
+ base->name, error->name);
}
/*
{
const char *dirstr = ct_dir2str(expr->ct.direction);
enum nft_ct_keys key = expr->ct.key;
- const struct proto_desc *desc;
json_t *root;
root = json_pack("{s:s}", "key", ct_templates[key].token);
if (dirstr)
json_object_set_new(root, "dir", json_string(dirstr));
-
- switch (key) {
- case NFT_CT_SRC:
- case NFT_CT_DST:
- desc = proto_find_upper(&proto_inet, expr->ct.nfproto);
- if (desc)
- json_object_set_new(root, "family",
- json_string(desc->name));
- break;
- default:
- break;
- }
out:
return json_pack("{s:o}", "ct", root);
}
dir = nftnl_expr_get_u8(nle, NFTNL_EXPR_CT_DIR);
key = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY);
- expr = ct_expr_alloc(loc, key, dir, NFPROTO_UNSPEC);
+ expr = ct_expr_alloc(loc, key, dir);
dreg = netlink_parse_register(nle, NFTNL_EXPR_CT_DREG);
netlink_set_register(ctx, dreg, expr);
ct_expr : CT ct_key
{
- $$ = ct_expr_alloc(&@$, $2, -1, NFPROTO_UNSPEC);
+ $$ = ct_expr_alloc(&@$, $2, -1);
}
| CT ct_dir ct_key_dir
{
- $$ = ct_expr_alloc(&@$, $3, $2, NFPROTO_UNSPEC);
+ $$ = ct_expr_alloc(&@$, $3, $2);
}
- | CT ct_dir nf_key_proto ct_key_proto_field
+ | CT ct_dir ct_key_proto_field
{
- $$ = ct_expr_alloc(&@$, $4, $2, $3);
+ $$ = ct_expr_alloc(&@$, $3, $2);
}
;
| ct_key_dir_optional
;
-ct_key_proto_field : SADDR { $$ = NFT_CT_SRC; }
- | DADDR { $$ = NFT_CT_DST; }
+ct_key_proto_field : IP SADDR { $$ = NFT_CT_SRC_IP; }
+ | IP DADDR { $$ = NFT_CT_DST_IP; }
+ | IP6 SADDR { $$ = NFT_CT_SRC_IP6; }
+ | IP6 DADDR { $$ = NFT_CT_DST_IP6; }
;
ct_key_dir_optional : BYTES { $$ = NFT_CT_BYTES; }
NFT_CT_BYTES,
NFT_CT_AVGPKT,
NFT_CT_ZONE,
+ NFT_CT_SRC_IP,
+ NFT_CT_DST_IP,
+ NFT_CT_SRC_IP6,
+ NFT_CT_DST_IP6,
};
unsigned int i;
static struct expr *json_parse_ct_expr(struct json_ctx *ctx,
const char *type, json_t *root)
{
+ int dirval = -1, keyval = -1;
const char *key, *dir;
unsigned int i;
- int dirval = -1, familyval, keyval = -1;
if (json_unpack_err(ctx, root, "{s:s}", "key", &key))
return NULL;
return NULL;
}
- familyval = json_parse_family(ctx, root);
- if (familyval < 0)
- return NULL;
-
if (!json_unpack(root, "{s:s}", "dir", &dir)) {
if (!strcmp(dir, "original")) {
dirval = IP_CT_DIR_ORIGINAL;
}
}
- return ct_expr_alloc(int_loc, keyval, dirval, familyval);
+ return ct_expr_alloc(int_loc, keyval, dirval);
}
static struct expr *json_parse_numgen_expr(struct json_ctx *ctx,
ct bytes original reply;fail
# missing direction
-ct saddr 1.2.3.4;fail
+ct ip saddr 1.2.3.4;fail
# wrong base (ip6 but ipv4 address given)
-meta nfproto ipv6 ct original saddr 1.2.3.4;fail
+meta nfproto ipv6 ct original ip saddr 1.2.3.4;fail
# direction, but must be used without
ct original mark 42;fail
"left": {
"ct": {
"dir": "original",
- "family": "ip6",
- "key": "saddr"
+ "key": "ip6 saddr"
}
},
"op": "==",
"left": {
"ct": {
"dir": "original",
- "family": "ip",
"key": "saddr"
}
},
# ct original ip6 saddr ::1
inet test-inet input
- [ ct load l3protocol => reg 1 , dir original ]
- [ cmp eq reg 1 0x0000000a ]
- [ ct load src => reg 1 , dir original ]
+ [ ct load src_ip6 => reg 1 , dir original ]
[ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+
"left": {
"ct": {
"dir": "original",
- "family": "ip",
- "key": "saddr"
+ "key": "ip saddr"
}
},
"op": "==",
"left": {
"ct": {
"dir": "reply",
- "family": "ip",
- "key": "saddr"
+ "key": "ip saddr"
}
},
"op": "==",
"left": {
"ct": {
"dir": "original",
- "family": "ip",
- "key": "daddr"
+ "key": "ip daddr"
}
},
"op": "==",
"left": {
"ct": {
"dir": "reply",
- "family": "ip",
- "key": "daddr"
+ "key": "ip daddr"
}
},
"op": "==",
"left": {
"ct": {
"dir": "original",
- "family": "ip",
- "key": "saddr"
+ "key": "ip saddr"
}
},
"op": "==",
"left": {
"ct": {
"dir": "reply",
- "family": "ip",
- "key": "saddr"
+ "key": "ip saddr"
}
},
"op": "==",
"left": {
"ct": {
"dir": "original",
- "family": "ip",
- "key": "daddr"
+ "key": "ip daddr"
}
},
"op": "==",
"left": {
"ct": {
"dir": "reply",
- "family": "ip",
- "key": "daddr"
+ "key": "ip daddr"
}
},
"op": "==",
# ct original ip saddr 192.168.0.1
ip test-ip4 output
- [ ct load src => reg 1 , dir original ]
+ [ ct load src_ip => reg 1 , dir original ]
[ cmp eq reg 1 0x0100a8c0 ]
# ct reply ip saddr 192.168.0.1
ip test-ip4 output
- [ ct load src => reg 1 , dir reply ]
+ [ ct load src_ip => reg 1 , dir reply ]
[ cmp eq reg 1 0x0100a8c0 ]
# ct original ip daddr 192.168.0.1
ip test-ip4 output
- [ ct load dst => reg 1 , dir original ]
+ [ ct load dst_ip => reg 1 , dir original ]
[ cmp eq reg 1 0x0100a8c0 ]
# ct reply ip daddr 192.168.0.1
ip test-ip4 output
- [ ct load dst => reg 1 , dir reply ]
+ [ ct load dst_ip => reg 1 , dir reply ]
[ cmp eq reg 1 0x0100a8c0 ]
# ct original ip saddr 192.168.1.0/24
ip test-ip4 output
- [ ct load src => reg 1 , dir original ]
+ [ ct load src_ip => reg 1 , dir original ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0001a8c0 ]
# ct reply ip saddr 192.168.1.0/24
ip test-ip4 output
- [ ct load src => reg 1 , dir reply ]
+ [ ct load src_ip => reg 1 , dir reply ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0001a8c0 ]
# ct original ip daddr 192.168.1.0/24
ip test-ip4 output
- [ ct load dst => reg 1 , dir original ]
+ [ ct load dst_ip => reg 1 , dir original ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0001a8c0 ]
# ct reply ip daddr 192.168.1.0/24
ip test-ip4 output
- [ ct load dst => reg 1 , dir reply ]
+ [ ct load dst_ip => reg 1 , dir reply ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x0001a8c0 ]
projects / thirdparty / nftables.git / commitdiff
