nft: Bore up nft_parse_payload()

Allow for closer inspection by storing payload expression's base and
length values. Also facilitate for two consecutive payload expressions
as LHS of a (cmp/lookup) statement as used with concatenations.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 80d4e1fcdcea131947320f7997c278e5da7e5a35..a67302ee621aea374675ea2ddc3f24d85f4eb7e8 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -445,8 +445,16 @@ static void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 
 static void nft_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 {
+       if (ctx->flags & NFT_XT_CTX_PAYLOAD) {
+               memcpy(&ctx->prev_payload, &ctx->payload,
+                      sizeof(ctx->prev_payload));
+               ctx->flags |= NFT_XT_CTX_PREV_PAYLOAD;
+       }
+
        ctx->reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
+       ctx->payload.base = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE);
        ctx->payload.offset = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET);
+       ctx->payload.len = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN);
        ctx->flags |= NFT_XT_CTX_PAYLOAD;
 }
 

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index e79323c882f4d620a465ac985cd9ee994f3d5c13..4dc44b8460f0dd17ae2ae774ad91d0ab28e0438a 100644 (file)
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -43,6 +43,7 @@ enum {
        NFT_XT_CTX_META         = (1 << 1),
        NFT_XT_CTX_BITWISE      = (1 << 2),
        NFT_XT_CTX_IMMEDIATE    = (1 << 3),
+       NFT_XT_CTX_PREV_PAYLOAD = (1 << 4),
 };
 
 struct nft_xt_ctx {
@@ -53,9 +54,10 @@ struct nft_xt_ctx {
 
        uint32_t reg;
        struct {
+               uint32_t base;
                uint32_t offset;
                uint32_t len;
-       } payload;
+       } payload, prev_payload;
        struct {
                uint32_t key;
        } meta;