proto: add pseudo th protocol to match d/sport in generic way

Problem: Its not possible to easily match both udp and tcp in a single
rule.

... input ip protocol { tcp,udp } dport 53

will not work, as bison expects "tcp dport" or "sctp dport", or any
other transport protocol name.

Its possible to match the sport and dport via raw payload expressions,
e.g.:
... input ip protocol { tcp,udp } @th,16,16 53

but its not very readable.
Furthermore, its not possible to use this for set definitions:

table inet filter {
        set myset {
                type ipv4_addr . inet_proto . inet_service
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
                ip daddr . ip protocol . @th,0,16 @myset
        }
}
 # nft -f test
 test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions

During the netfilter workshop Pablo suggested to add an alias to do raw
sport/dport matching more readable, and make it use the inet_service
type automatically.

So, this change makes @th,0,16 work for the set definition case by
setting the data type to inet_service.

A new "th s|dport" syntax is provided as readable alternative:

ip protocol { tcp, udp } th dport 53

As "th" is an alias for the raw expression, no dependency is
generated -- its the users responsibility to add a suitable test to
select the l4 header types that should be matched.

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index b98a6077202755a3b8eb3399b4e43263bbf4160d..dba42fd542cf3b48d6e7d56bb7d7ec19e228e0ff 100644 (file)
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -498,6 +498,15 @@ Transport Header, for example TCP
 ----------------------------------------------
 inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }
 -----------------------------------------------------------------
+The above can also be written as
+-----------------------------------------------------------------
+inet filter input meta l4proto {tcp, udp} th dport { 53, 80 }
+-----------------------------------------------------------------
+it is more convenient, but like the raw expression notation no
+dependencies are created or checked. It is the users responsibility
+to restrict matching to those header types that have a notion of ports.
+Otherwise, rules using raw expressions will errnously match unrelated
+packets, e.g. mis-interpreting ESP packets SPI field as a port.
 
 .Rewrite arp packet target hardware address if target protocol address matches a given address
 ----------------------------------------------------------------------------------------------

diff --git a/include/proto.h b/include/proto.h
index 92b25edbd3da7cb37c2d9bd612f94902943b6a39..fab48c1bb30c9ec5c6e652949fef4a886cf4a921 100644 (file)
--- a/include/proto.h
+++ b/include/proto.h
@@ -310,6 +310,12 @@ enum sctp_hdr_fields {
        SCTPHDR_CHECKSUM,
 };
 
+enum th_hdr_fields {
+       THDR_INVALID,
+       THDR_SPORT,
+       THDR_DPORT,
+};
+
 extern const struct proto_desc proto_icmp;
 extern const struct proto_desc proto_igmp;
 extern const struct proto_desc proto_ah;
@@ -320,6 +326,7 @@ extern const struct proto_desc proto_udplite;
 extern const struct proto_desc proto_tcp;
 extern const struct proto_desc proto_dccp;
 extern const struct proto_desc proto_sctp;
+extern const struct proto_desc proto_th;
 extern const struct proto_desc proto_icmp6;
 
 extern const struct proto_desc proto_ip;

diff --git a/src/parser_bison.y b/src/parser_bison.y
index a4905f2a39aed7970c2ba90e12df598dced16bd3..0a387f619998fb2e4dd5293c9bad911495261724 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -719,6 +719,9 @@ int nft_lex(void *, void *, void *);
 %type <expr>                   dccp_hdr_expr   sctp_hdr_expr
 %destructor { expr_free($$); } dccp_hdr_expr   sctp_hdr_expr
 %type <val>                    dccp_hdr_field  sctp_hdr_field
+%type <expr>                   th_hdr_expr
+%destructor { expr_free($$); } th_hdr_expr
+%type <val>                    th_hdr_field
 
 %type <expr>                   exthdr_expr
 %destructor { expr_free($$); } exthdr_expr
@@ -4198,6 +4201,7 @@ payload_expr              :       payload_raw_expr
                        |       tcp_hdr_expr
                        |       dccp_hdr_expr
                        |       sctp_hdr_expr
+                       |       th_hdr_expr
                        ;
 
 payload_raw_expr       :       AT      payload_base_spec       COMMA   NUM     COMMA   NUM
@@ -4487,6 +4491,18 @@ sctp_hdr_field           :       SPORT           { $$ = SCTPHDR_SPORT; }
                        |       CHECKSUM        { $$ = SCTPHDR_CHECKSUM; }
                        ;
 
+th_hdr_expr            :       TRANSPORT_HDR   th_hdr_field
+                       {
+                               $$ = payload_expr_alloc(&@$, &proto_th, $2);
+                               if ($$)
+                                       $$->payload.is_raw = true;
+                       }
+                       ;
+
+th_hdr_field           :       SPORT           { $$ = THDR_SPORT; }
+                       |       DPORT           { $$ = THDR_DPORT; }
+                       ;
+
 exthdr_expr            :       hbh_hdr_expr
                        |       rt_hdr_expr
                        |       rt0_hdr_expr

diff --git a/src/payload.c b/src/payload.c
index 3bf1ecc75c40bd2e13f2dd8d2b3bed4568c526e4..abd5339c5b0bc80b02b50fc505939891430255ef 100644 (file)
--- a/src/payload.c
+++ b/src/payload.c
@@ -172,10 +172,33 @@ struct expr *payload_expr_alloc(const struct location *loc,
 void payload_init_raw(struct expr *expr, enum proto_bases base,
                      unsigned int offset, unsigned int len)
 {
+       enum th_hdr_fields thf;
+
        expr->payload.base      = base;
        expr->payload.offset    = offset;
        expr->len               = len;
        expr->dtype             = &integer_type;
+
+       if (base != PROTO_BASE_TRANSPORT_HDR)
+               return;
+       if (len != 16)
+               return;
+
+       switch (offset) {
+       case 0:
+               thf = THDR_SPORT;
+               /* fall through */
+       case 16:
+               if (offset == 16)
+                       thf = THDR_DPORT;
+               expr->payload.tmpl = &proto_th.templates[thf];
+               expr->payload.desc = &proto_th;
+               expr->dtype = &inet_service_type;
+               expr->payload.desc = &proto_th;
+               break;
+       default:
+               break;
+       }
 }
 
 unsigned int payload_hdr_field(const struct expr *expr)

diff --git a/src/proto.c b/src/proto.c
index 67e86f2070c12a6c9c10db96b9aba79fcd51b203..40ce590efd1264220b6e2337561c1dbbbf55ad02 100644 (file)
--- a/src/proto.c
+++ b/src/proto.c
@@ -561,6 +561,18 @@ const struct proto_desc proto_sctp = {
        },
 };
 
+/*
+ * Dummy Transpor Header (common udp/tcp/dccp/sctp fields)
+ */
+const struct proto_desc proto_th = {
+       .name           = "th",
+       .base           = PROTO_BASE_TRANSPORT_HDR,
+       .templates      = {
+               [THDR_SPORT]            = INET_SERVICE("sport", struct udphdr, source),
+               [THDR_DPORT]            = INET_SERVICE("dport", struct udphdr, dest),
+       },
+};
+
 /*
  * IPv4
  */

diff --git a/tests/py/any/rawpayload.t b/tests/py/any/rawpayload.t
index 9a3402f1a406d2b988fc24b2f0027d3df723d469..c3382a96876c2a17278e4e4664eda60a76bfc40e 100644 (file)
--- a/tests/py/any/rawpayload.t
+++ b/tests/py/any/rawpayload.t
@@ -4,7 +4,7 @@
 *inet;test-inet;input
 *netdev;test-netdev;ingress
 
-meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 };ok;meta l4proto { 6, 17, 132} @th,16,16 { 22, 23, 80}
+meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 };ok;meta l4proto { 6, 17, 132} th dport { 22, 23, 80}
 meta l4proto tcp @th,16,16 { 22, 23, 80};ok;tcp dport { 22, 23, 80}
 @nh,8,8 255;ok
 @nh,8,16 0;ok

diff --git a/tests/shell/testcases/sets/0037_set_with_inet_service_0 b/tests/shell/testcases/sets/0037_set_with_inet_service_0
new file mode 100755 (executable)
index 0000000..07820b7
--- /dev/null
+++ b/tests/shell/testcases/sets/0037_set_with_inet_service_0
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"

diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft
new file mode 100644 (file)
index 0000000..0e85f7c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft
@@ -0,0 +1,16 @@
+table inet filter {
+       set myset {
+               type ipv4_addr . inet_proto . inet_service
+               elements = { 192.168.0.12 . tcp . 53,
+                            192.168.0.12 . tcp . 80,
+                            192.168.0.12 . udp . 53,
+                            192.168.0.13 . tcp . 80,
+                            192.168.0.113 . tcp . 22 }
+       }
+
+       chain forward {
+               type filter hook forward priority filter; policy drop;
+               ct state established,related accept
+               ct state new ip daddr . ip protocol . th dport @myset accept
+       }
+}