git.ipfire.org Git - thirdparty/iptables.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 25 Jan 2022 16:52:55 +0000 (17:52 +0100)
committer	Florian Westphal <fw@strlen.de>
	Sat, 29 Jan 2022 12:33:36 +0000 (13:33 +0100)
commit	250dce876d924b9467ffa035af445912e86ea93b
tree	751301bbe5e70794459498ca3f9fdaff1ab2154a	tree
parent	ea5d45dc23a4529a2a45c59ac6c13b61297c789e	commit \| diff

nft-shared: support native tcp port delinearize

This extends iptables-nft dissector to decode native tcp
port matching.  nft ruleset:

table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                tcp sport 12345
                tcp sport 12345 tcp dport 6789
                tcp sport < 1024
                tcp dport >= 1024
        }
}

$ iptables-nft-save
-A INPUT -p tcp -m tcp --sport 12345
-A INPUT -p tcp -m tcp --sport 12345 --dport 6789
-A INPUT -p tcp -m tcp --sport 0:1023
-A INPUT -p tcp -m tcp --dport 1024:65535

This would allow to extend iptables-nft to prefer
native payload expressions for --sport,dport in the future.

Also, parse_cmp must not clear the "payload" flag, this is because
cmp-based range expressions will contain following sequence:

payload => reg1
cmp reg1 > minv
cmp reg1 < maxv

... so second cmp would work.

Signed-off-by: Florian Westphal <fw@strlen.de>

iptables/nft-shared.c		diff \| blob \| blame \| history
iptables/nft-shared.h		diff \| blob \| blame \| history