This new datatype is a string subtype.
It will allow us to build named maps/sets using meta keys like 'iifname',
'oifname', 'ibriport' or 'obriport'.
Example:
table inet t {
set s {
type ifname
elements = { "eth0",
"eth1" }
}
chain c {
iifname @s accept
oifname @s accept
}
}
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
<row>
<entry>iifname</entry>
<entry>Input interface name</entry>
- <entry>string</entry>
+ <entry>ifname</entry>
</row>
<row>
<entry>iiftype</entry>
<row>
<entry>oifname</entry>
<entry>Output interface name</entry>
- <entry>string</entry>
+ <entry>ifname</entry>
</row>
<row>
<entry>oiftype</entry>
<row>
<entry>ibriport</entry>
<entry>Input bridge interface name</entry>
- <entry>string</entry>
+ <entry>ifname</entry>
</row>
<row>
<entry>obriport</entry>
<entry>Output bridge interface name</entry>
- <entry>string</entry>
+ <entry>ifname</entry>
</row>
<row>
<entry>pkttype</entry>
* @TYPE_ICMPX_CODE: icmpx code (integer subtype)
* @TYPE_DEVGROUP: devgroup code (integer subtype)
* @TYPE_DSCP: Differentiated Services Code Point (integer subtype)
+ * @TYPE_IFNAME: interface name (string subtype)
*/
enum datatypes {
TYPE_INVALID,
TYPE_FIB_ADDR,
TYPE_BOOLEAN,
TYPE_CT_EVENTBIT,
+ TYPE_IFNAME,
__TYPE_MAX
};
#define TYPE_MAX (__TYPE_MAX - 1)
extern const struct datatype uid_type;
extern const struct datatype devgroup_type;
extern const struct datatype pkttype_type;
+extern const struct datatype ifname_type;
#endif /* NFTABLES_META_H */
[TYPE_ECN] = &ecn_type,
[TYPE_FIB_ADDR] = &fib_addr_type,
[TYPE_BOOLEAN] = &boolean_type,
+ [TYPE_IFNAME] = &ifname_type,
};
const struct datatype *datatype_lookup(enum datatypes type)
/* We need to reallocate the constant expression with the right
* expression length to avoid problems on big endian.
*/
- value = constant_expr_alloc(&expr->location, &string_type,
+ value = constant_expr_alloc(&expr->location, ctx->ectx.dtype,
BYTEORDER_HOST_ENDIAN,
expr->len, data);
expr_free(expr);
memset(unescaped_str, 0, sizeof(unescaped_str));
xstrunescape(data, unescaped_str);
- value = constant_expr_alloc(&expr->location, &string_type,
+ value = constant_expr_alloc(&expr->location, ctx->ectx.dtype,
BYTEORDER_HOST_ENDIAN,
expr->len, unescaped_str);
expr_free(expr);
*exprp = value;
return 0;
}
- value = constant_expr_alloc(&expr->location, &string_type,
+ value = constant_expr_alloc(&expr->location, ctx->ectx.dtype,
BYTEORDER_HOST_ENDIAN,
datalen * BITS_PER_BYTE, data);
prefix = prefix_expr_alloc(&expr->location, value,
datalen * BITS_PER_BYTE);
- prefix->dtype = &string_type;
+ prefix->dtype = ctx->ectx.dtype;
prefix->flags |= EXPR_F_CONSTANT;
prefix->byteorder = BYTEORDER_HOST_ENDIAN;
meta->meta.key == NFT_META_NFPROTO)
return expr_error(ctx->msgs, meta,
"meta nfproto is only useful in the inet family");
+
return expr_evaluate_primary(ctx, exprp);
}
.flags = DTYPE_F_PREFIX,
};
+const struct datatype ifname_type = {
+ .type = TYPE_IFNAME,
+ .name = "ifname",
+ .desc = "network interface name",
+ .byteorder = BYTEORDER_HOST_ENDIAN,
+ .size = IFNAMSIZ * BITS_PER_BYTE,
+ .basetype = &string_type,
+};
+
static const struct meta_template meta_templates[] = {
[NFT_META_LEN] = META_TEMPLATE("length", &integer_type,
4 * 8, BYTEORDER_HOST_ENDIAN),
4 * 8, BYTEORDER_HOST_ENDIAN),
[NFT_META_IIF] = META_TEMPLATE("iif", &ifindex_type,
4 * 8, BYTEORDER_HOST_ENDIAN),
- [NFT_META_IIFNAME] = META_TEMPLATE("iifname", &string_type,
+ [NFT_META_IIFNAME] = META_TEMPLATE("iifname", &ifname_type,
IFNAMSIZ * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
[NFT_META_IIFTYPE] = META_TEMPLATE("iiftype", &arphrd_type,
2 * 8, BYTEORDER_HOST_ENDIAN),
[NFT_META_OIF] = META_TEMPLATE("oif", &ifindex_type,
4 * 8, BYTEORDER_HOST_ENDIAN),
- [NFT_META_OIFNAME] = META_TEMPLATE("oifname", &string_type,
+ [NFT_META_OIFNAME] = META_TEMPLATE("oifname", &ifname_type,
IFNAMSIZ * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
[NFT_META_OIFTYPE] = META_TEMPLATE("oiftype", &arphrd_type,
1 , BYTEORDER_HOST_ENDIAN),
[NFT_META_RTCLASSID] = META_TEMPLATE("rtclassid", &realm_type,
4 * 8, BYTEORDER_HOST_ENDIAN),
- [NFT_META_BRI_IIFNAME] = META_TEMPLATE("ibriport", &string_type,
+ [NFT_META_BRI_IIFNAME] = META_TEMPLATE("ibriport", &ifname_type,
IFNAMSIZ * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
- [NFT_META_BRI_OIFNAME] = META_TEMPLATE("obriport", &string_type,
+ [NFT_META_BRI_OIFNAME] = META_TEMPLATE("obriport", &ifname_type,
IFNAMSIZ * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
[NFT_META_PKTTYPE] = META_TEMPLATE("pkttype", &pkttype_type,
right = netlink_alloc_value(loc, &nld);
if (left->len > right->len &&
- left->dtype != &string_type) {
- return netlink_error(ctx, loc,
- "Relational expression size mismatch");
+ expr_basetype(left) != &string_type) {
+ return netlink_error(ctx, loc, "Relational expression size mismatch");
} else if (left->len > 0 && left->len < right->len) {
left = netlink_parse_concat_expr(ctx, loc, sreg, right->len);
if (left == NULL)
data[pos] = '*';
data[pos + 1] = '\0';
- return constant_expr_alloc(loc, &string_type, BYTEORDER_HOST_ENDIAN,
+ return constant_expr_alloc(loc, expr->dtype, BYTEORDER_HOST_ENDIAN,
expr->len + BITS_PER_BYTE, data);
}
data[pos - 1] = '\\';
data[pos] = '*';
- tmp = constant_expr_alloc(&expr->location, &string_type,
+ tmp = constant_expr_alloc(&expr->location, expr->dtype,
BYTEORDER_HOST_ENDIAN,
expr->len + BITS_PER_BYTE, data);
expr_free(expr);
{
struct expr *mask;
- assert(expr->dtype->type == TYPE_STRING);
+ assert(expr_basetype(expr)->type == TYPE_STRING);
if (__expr_postprocess_string(&expr))
return expr;
if (expr->byteorder == BYTEORDER_HOST_ENDIAN)
mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
- if (expr->dtype->type == TYPE_STRING)
+ if (expr_basetype(expr)->type == TYPE_STRING)
*exprp = expr_postprocess_string(expr);
if (expr->dtype->basetype != NULL &&
return netlink_gen_lookup(ctx, expr, dreg);
case EXPR_PREFIX:
sreg = get_register(ctx, expr->left);
- if (expr->left->dtype->type != TYPE_STRING) {
+ if (expr_basetype(expr->left)->type != TYPE_STRING) {
len = div_round_up(expr->right->len, BITS_PER_BYTE);
netlink_gen_expr(ctx, expr->left, sreg);
right = netlink_gen_prefix(ctx, expr, sreg);
--- /dev/null
+#!/bin/bash
+
+# support for ifname in named maps
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+EXPECTED="table inet t {
+ map m1 {
+ type ifname : ipv4_addr
+ elements = { \"eth0\" : 1.1.1.1 }
+ }
+
+ chain c {
+ ip daddr set iifname map @m1
+ ip daddr set oifname map @m1
+ }
+}"
+
+set -e
+echo "$EXPECTED" > $tmpfile
+$NFT -f $tmpfile
+
+GET="$($NFT list ruleset)"
+if [ "$EXPECTED" != "$GET" ] ; then
+ DIFF="$(which diff)"
+ [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+ exit 1
+fi
+
--- /dev/null
+#!/bin/bash
+
+# support for ifname in named sets
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+EXPECTED="table inet t {
+ set s {
+ type ifname
+ elements = { \"eth0\" }
+ }
+
+ chain c {
+ iifname @s accept
+ oifname @s accept
+ }
+}"
+
+set -e
+echo "$EXPECTED" > $tmpfile
+$NFT -f $tmpfile
+
+GET="$($NFT list ruleset)"
+if [ "$EXPECTED" != "$GET" ] ; then
+ DIFF="$(which diff)"
+ [ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+ exit 1
+fi
+
projects / thirdparty / nftables.git / commitdiff
