</example>
</para>
</refsect2>
+ <refsect2>
+ <title>fib expressions</title>
+ <para>
+ <cmdsynopsis>
+ <command>fib</command>
+ <group choice="req">
+ <arg>saddr</arg>
+ <arg>daddr</arg>
+ <group choice="opt">
+ <arg>mark</arg>
+ <arg>iif</arg>
+ <arg>oif</arg>
+ </group>
+ </group>
+ <group choice="req">
+ <arg>oif</arg>
+ <arg>oifname</arg>
+ <arg>type</arg>
+ </group>
+ </cmdsynopsis>
+ </para>
+ <para>
+ A fib expression queries the fib (forwarding information base)
+ to obtain information such as the output interface index a particular address would use. The input is a tuple of elements that is used as input to the fib lookup
+ functions.
+ </para>
+ <para>
+ <table frame="all">
+ <title>fib expression specific types</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Description</entry>
+ <entry>Type</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>oif</entry>
+ <entry>Output interface index</entry>
+ <entry>integer (32 bit)</entry>
+ </row>
+ <row>
+ <entry>oifname</entry>
+ <entry>Output interface name</entry>
+ <entry>string</entry>
+ </row>
+ <row>
+ <entry>type</entry>
+ <entry>Address type</entry>
+ <entry>fib_addrtype</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ <example>
+ <title>Using fib expressions</title>
+ <programlisting>
+# drop packets without a reverse path
+filter prerouting fib saddr . iif oif eq 0 drop
+# drop packets to address not configured on ininterface
+filter input fib daddr . iif type not { local, broadcast, multicast } drop
+
+# perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule)
+filter prerouting meta mark set 0xdead fib daddr . mark type vmap { backhole : drop, prohibit : jump prohibited, unreachable : drop }
+ </programlisting>
+ </example>
+ </para>
+ </refsect2>
<refsect2>
<title>Routing expressions</title>
<para>
TYPE_DEVGROUP,
TYPE_DSCP,
TYPE_ECN,
+ TYPE_FIB_ADDR,
__TYPE_MAX
};
#define TYPE_MAX (__TYPE_MAX - 1)
EXPR_NUMGEN,
EXPR_HASH,
EXPR_RT,
+ EXPR_FIB,
};
enum ops {
#include <payload.h>
#include <exthdr.h>
+#include <fib.h>
#include <numgen.h>
#include <meta.h>
#include <rt.h>
uint32_t mod;
uint32_t seed;
} hash;
+ struct {
+ /* EXPR_FIB */
+ uint32_t flags;
+ uint32_t result;
+ } fib;
};
};
--- /dev/null
+#ifndef NFTABLES_FIB_H
+#define NFTABLES_FIB_H
+
+extern struct expr *fib_expr_alloc(const struct location *loc,
+ unsigned int flags,
+ unsigned int result);
+#endif /* NFTABLES_FIB_H */
};
#define NFTA_GEN_MAX (__NFTA_GEN_MAX - 1)
+/*
+ * enum nft_fib_attributes - nf_tables fib expression netlink attributes
+ *
+ * @NFTA_FIB_DREG: destination register (NLA_U32)
+ * @NFTA_FIB_RESULT: desired result (NLA_U32)
+ * @NFTA_FIB_FLAGS: flowi fields to initialize when querying the FIB (NLA_U32)
+ *
+ * The FIB expression performs a route lookup according
+ * to the packet data.
+ */
+enum nft_fib_attributes {
+ NFTA_FIB_UNSPEC,
+ NFTA_FIB_DREG,
+ NFTA_FIB_RESULT,
+ NFTA_FIB_FLAGS,
+ __NFTA_FIB_MAX
+};
+#define NFTA_FIB_MAX (__NFTA_FIB_MAX - 1)
+
+enum nft_fib_result {
+ NFT_FIB_RESULT_UNSPEC,
+ NFT_FIB_RESULT_OIF,
+ NFT_FIB_RESULT_OIFNAME,
+ NFT_FIB_RESULT_ADDRTYPE,
+ __NFT_FIB_RESULT_MAX
+};
+#define NFT_FIB_RESULT_MAX (__NFT_FIB_RESULT_MAX - 1)
+
+enum nft_fib_flags {
+ NFTA_FIB_F_SADDR = 1 << 0, /* look up src */
+ NFTA_FIB_F_DADDR = 1 << 1, /* look up dst */
+ NFTA_FIB_F_MARK = 1 << 2, /* use skb->mark */
+ NFTA_FIB_F_IIF = 1 << 3, /* restrict to iif */
+ NFTA_FIB_F_OIF = 1 << 4, /* restrict to oif */
+};
+
/**
* enum nft_trace_attributes - nf_tables trace netlink attributes
*
proto.c \
payload.c \
exthdr.c \
+ fib.c \
hash.c \
meta.c \
rt.c \
return expr_evaluate_exthdr(ctx, expr);
case EXPR_VERDICT:
case EXPR_META:
+ case EXPR_FIB:
return expr_evaluate_primary(ctx, expr);
case EXPR_PAYLOAD:
return expr_evaluate_payload(ctx, expr);
--- /dev/null
+/*
+ * FIB expression.
+ *
+ * Copyright (c) Red Hat GmbH. Author: Florian Westphal <fw@strlen.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <nftables.h>
+#include <erec.h>
+#include <expression.h>
+#include <datatype.h>
+#include <gmputil.h>
+#include <utils.h>
+#include <string.h>
+#include <fib.h>
+
+#include <linux/rtnetlink.h>
+#include <net/if.h>
+
+static const char *fib_result[NFT_FIB_RESULT_MAX + 1] = {
+ [NFT_FIB_RESULT_OIF] = "oif",
+ [NFT_FIB_RESULT_OIFNAME] = "oifname",
+ [NFT_FIB_RESULT_ADDRTYPE] = "type",
+};
+
+static const struct symbol_table addrtype_tbl = {
+ .symbols = {
+ SYMBOL("unspec", RTN_UNSPEC),
+ SYMBOL("unicast", RTN_UNICAST),
+ SYMBOL("local", RTN_LOCAL),
+ SYMBOL("broadcast", RTN_BROADCAST),
+ SYMBOL("anycast", RTN_ANYCAST),
+ SYMBOL("multicast", RTN_MULTICAST),
+ SYMBOL("blackhole", RTN_BLACKHOLE),
+ SYMBOL("unreachable", RTN_UNREACHABLE),
+ SYMBOL("prohibit", RTN_PROHIBIT),
+ SYMBOL_LIST_END
+ }
+};
+
+static const struct datatype fib_addr_type = {
+ .type = TYPE_FIB_ADDR,
+ .name = "fib_addrtype",
+ .desc = "fib address type",
+ .byteorder = BYTEORDER_HOST_ENDIAN,
+ .size = 4 * BITS_PER_BYTE,
+ .basetype = &integer_type,
+ .sym_tbl = &addrtype_tbl,
+};
+
+static const char *fib_result_str(enum nft_fib_result result)
+{
+ if (result <= NFT_FIB_RESULT_MAX)
+ return fib_result[result];
+
+ return "unknown";
+}
+
+static void __fib_expr_print_f(unsigned int *flags, unsigned int f, const char *s)
+{
+ if ((*flags & f) == 0)
+ return;
+
+ printf("%s", s);
+ *flags &= ~f;
+ if (*flags)
+ printf(" . ");
+}
+
+static void fib_expr_print(const struct expr *expr)
+{
+ unsigned int flags = expr->fib.flags;
+
+ printf("fib ");
+ __fib_expr_print_f(&flags, NFTA_FIB_F_SADDR, "saddr");
+ __fib_expr_print_f(&flags, NFTA_FIB_F_DADDR, "daddr");
+ __fib_expr_print_f(&flags, NFTA_FIB_F_MARK, "mark");
+ __fib_expr_print_f(&flags, NFTA_FIB_F_IIF, "iif");
+ __fib_expr_print_f(&flags, NFTA_FIB_F_OIF, "oif");
+
+ if (flags)
+ printf("0x%x", flags);
+
+ printf(" %s", fib_result_str(expr->fib.result));
+}
+
+static bool fib_expr_cmp(const struct expr *e1, const struct expr *e2)
+{
+ return e1->fib.result == e2->fib.result &&
+ e1->fib.flags == e2->fib.flags;
+}
+
+static void fib_expr_clone(struct expr *new, const struct expr *expr)
+{
+ new->fib.result = expr->fib.result;
+ new->fib.flags= expr->fib.flags;
+}
+
+static const struct expr_ops fib_expr_ops = {
+ .type = EXPR_FIB,
+ .name = "fib",
+ .print = fib_expr_print,
+ .cmp = fib_expr_cmp,
+ .clone = fib_expr_clone,
+};
+
+struct expr *fib_expr_alloc(const struct location *loc,
+ unsigned int flags, unsigned int result)
+{
+ const struct datatype *type;
+ unsigned int len = 4 * BITS_PER_BYTE;
+ struct expr *expr;
+
+ switch (result) {
+ case NFT_FIB_RESULT_OIF:
+ type = &ifindex_type;
+ break;
+ case NFT_FIB_RESULT_OIFNAME:
+ type = &string_type;
+ len = IFNAMSIZ * BITS_PER_BYTE;
+ break;
+ case NFT_FIB_RESULT_ADDRTYPE:
+ type = &fib_addr_type;
+ break;
+ default:
+ BUG("Unknown result %d\n", result);
+ }
+
+ expr = expr_alloc(loc, &fib_expr_ops, type,
+ BYTEORDER_HOST_ENDIAN, len);
+
+ expr->fib.result = result;
+ expr->fib.flags = flags;
+
+ return expr;
+}
+
+static void __init fib_init(void)
+{
+ datatype_register(&fib_addr_type);
+}
netlink_set_register(ctx, dreg, expr);
}
+static void netlink_parse_fib(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ struct expr *expr;
+ uint32_t flags, result;
+
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_FIB_FLAGS);
+ result = nftnl_expr_get_u32(nle, NFTNL_EXPR_FIB_RESULT);
+
+ expr = fib_expr_alloc(loc, flags, result);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_FIB_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
static void netlink_parse_meta_expr(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
{ .name = "quota", .parse = netlink_parse_quota },
{ .name = "numgen", .parse = netlink_parse_numgen },
{ .name = "hash", .parse = netlink_parse_hash },
+ { .name = "fib", .parse = netlink_parse_fib },
};
static int netlink_parse_expr(const struct nftnl_expr *nle,
case EXPR_RT:
case EXPR_VERDICT:
case EXPR_NUMGEN:
+ case EXPR_FIB:
break;
case EXPR_HASH:
expr_postprocess(ctx, &expr->hash.expr);
}
}
+static void netlink_gen_fib(struct netlink_linearize_ctx *ctx,
+ const struct expr *expr,
+ enum nft_registers dreg)
+{
+ struct nftnl_expr *nle;
+
+ nle = alloc_nft_expr("fib");
+ netlink_put_register(nle, NFTNL_EXPR_FIB_DREG, dreg);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_FIB_RESULT, expr->fib.result);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_FIB_FLAGS, expr->fib.flags);
+
+ nftnl_rule_add_expr(ctx->nlr, nle);
+}
+
static void netlink_gen_hash(struct netlink_linearize_ctx *ctx,
const struct expr *expr,
enum nft_registers dreg)
return netlink_gen_numgen(ctx, expr, dreg);
case EXPR_HASH:
return netlink_gen_hash(ctx, expr, dreg);
+ case EXPR_FIB:
+ return netlink_gen_fib(ctx, expr, dreg);
default:
BUG("unknown expression type %s\n", expr->ops->name);
}
%token DASH "-"
%token AT "@"
%token VMAP "vmap"
+%token LOOKUP "lookup"
%token INCLUDE "include"
%token DEFINE "define"
+%token FIB "fib"
+
%token HOOK "hook"
%token DEVICE "device"
%token TABLE "table"
%destructor { expr_free($$); } ct_expr
%type <val> ct_key ct_key_dir ct_key_counters
+%type <expr> fib_expr
+%destructor { expr_free($$); } fib_expr
+%type <val> fib_tuple fib_result fib_flag
+
%type <val> export_format
%type <string> monitor_event
%destructor { xfree($$); } monitor_event
| ct_expr { $$ = $1; }
| numgen_expr { $$ = $1; }
| hash_expr { $$ = $1; }
+ | fib_expr { $$ = $1; }
| '(' basic_expr ')' { $$ = $2; }
;
+fib_expr : FIB fib_tuple fib_result
+ {
+ if (($2 & (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) == 0) {
+ erec_queue(error(&@2, "fib: need either saddr or daddr"), state->msgs);
+ YYERROR;
+ }
+
+ if (($2 & (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) ==
+ (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) {
+ erec_queue(error(&@2, "fib: saddr and daddr are mutually exclusive"), state->msgs);
+ YYERROR;
+ }
+
+ if (($2 & (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) ==
+ (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) {
+ erec_queue(error(&@2, "fib: iif and oif are mutually exclusive"), state->msgs);
+ YYERROR;
+ }
+
+ $$ = fib_expr_alloc(&@$, $2, $3);
+ }
+ ;
+
+fib_result : OIF { $$ =NFT_FIB_RESULT_OIF; }
+ | OIFNAME { $$ =NFT_FIB_RESULT_OIFNAME; }
+ | TYPE { $$ =NFT_FIB_RESULT_ADDRTYPE; }
+ ;
+
+fib_flag : SADDR { $$ = NFTA_FIB_F_SADDR; }
+ | DADDR { $$ = NFTA_FIB_F_DADDR; }
+ | MARK { $$ = NFTA_FIB_F_MARK; }
+ | IIF { $$ = NFTA_FIB_F_IIF; }
+ | OIF { $$ = NFTA_FIB_F_OIF; }
+ ;
+
+fib_tuple : fib_flag DOT fib_tuple
+ {
+ $$ = $1 | $3;
+ }
+ | fib_flag
+ ;
+
shift_expr : primary_expr
| shift_expr LSHIFT primary_expr
{
"dup" { return DUP; }
"fwd" { return FWD; }
+"fib" { return FIB; }
+
"xml" { return XML; }
"json" { return JSON; }
--- /dev/null
+:prerouting;type filter hook prerouting priority 0
+
+*ip;test-ip;prerouting
+*ip6;test-ip6;prerouting
+
+fib saddr . daddr oif lo;fail
+fib iif . oif . daddr oif lo;fail
+fib mark oif lo;fail
+fib saddr . iif oif ne 0;ok;fib saddr . iif oif != 0
+fib saddr . iif oifname "lo";ok
+
+fib daddr . iif type local;ok
+fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept };ok
+fib daddr . oif type local;fail
--- /dev/null
+# fib saddr . iif oif ne 0
+ip test-ip prerouting
+ [ fib saddr . iif oif => reg 1 ]
+ [ cmp neq reg 1 0x00000000 ]
+
+# fib saddr . iif oifname "lo"
+ip test-ip prerouting
+ [ fib saddr . iif oifname => reg 1 ]
+ [ cmp eq reg 1 0x00006f6c 0x00000000 0x00000000 0x00000000 ]
+
+# fib daddr . iif type local
+ip test-ip prerouting
+ [ fib daddr . iif type => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+
+# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept }
+__map%d test-ip b
+__map%d test-ip 0
+ element 00000006 : 0 [end] element 00000008 : 0 [end] element 00000001 : 0 [end]
+ip test-ip prerouting
+ [ fib daddr . iif type => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
projects / thirdparty / nftables.git / commitdiff
