This allows you to clone packets to destination address, eg.
... dup to 172.20.0.2
... dup to 172.20.0.2 device eth1
... dup to ip saddr map { 192.168.0.2 : 172.20.0.2, ... } device eth1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
};
#define NFTA_REDIR_MAX (__NFTA_REDIR_MAX - 1)
+/**
+ * enum nft_tee_attributes - nf_tables tee expression netlink attributes
+ *
+ * @NFTA_DUP_SREG_ADDR: source register of destination (NLA_U32: nft_registers)
+ * @NFTA_DUP_SREG_DEV: output interface name (NLA_U32: nft_register)
+ */
+enum nft_tee_attributes {
+ NFTA_DUP_UNSPEC,
+ NFTA_DUP_SREG_ADDR,
+ NFTA_DUP_SREG_DEV,
+ __NFTA_DUP_MAX
+};
+#define NFTA_DUP_MAX (__NFTA_DUP_MAX - 1)
+
/**
* enum nft_gen_attributes - nf_tables ruleset generation attributes
*
extern struct expr *meta_expr_alloc(const struct location *loc,
enum nft_meta_keys key);
+const struct datatype ifindex_type;
+
#endif /* NFTABLES_META_H */
extern struct stmt *ct_stmt_alloc(const struct location *loc,
enum nft_ct_keys key,
struct expr *expr);
+struct dup_stmt {
+ struct expr *to;
+ struct expr *dev;
+};
+
+struct stmt *dup_stmt_alloc(const struct location *loc);
+uint32_t dup_stmt_type(const char *type);
struct set_stmt {
struct expr *set;
* @STMT_QUEUE: QUEUE statement
* @STMT_CT: conntrack statement
* @STMT_SET: set statement
+ * @STMT_DUP: dup statement
*/
enum stmt_types {
STMT_INVALID,
STMT_QUEUE,
STMT_CT,
STMT_SET,
+ STMT_DUP,
};
/**
struct queue_stmt queue;
struct ct_stmt ct;
struct set_stmt set;
+ struct dup_stmt dup;
};
};
#include <netinet/ip_icmp.h>
#include <netinet/icmp6.h>
#include <net/ethernet.h>
+#include <net/if.h>
#include <expression.h>
#include <statement.h>
}
}
-static int nat_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
+static int evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
struct expr **expr)
{
struct proto_ctx *pctx = &ctx->pctx;
return err;
if (stmt->nat.addr != NULL) {
- err = nat_evaluate_addr(ctx, stmt, &stmt->nat.addr);
+ err = evaluate_addr(ctx, stmt, &stmt->nat.addr);
if (err < 0)
return err;
}
return 0;
}
+static int stmt_evaluate_dup(struct eval_ctx *ctx, struct stmt *stmt)
+{
+ int err;
+
+ switch (ctx->pctx.family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ if (stmt->dup.to == NULL)
+ return stmt_error(ctx, stmt,
+ "missing destination address");
+ err = evaluate_addr(ctx, stmt, &stmt->dup.to);
+ if (err < 0)
+ return err;
+
+ if (stmt->dup.dev != NULL) {
+ err = stmt_evaluate_arg(ctx, stmt, &ifindex_type,
+ sizeof(uint32_t) * BITS_PER_BYTE,
+ &stmt->dup.dev);
+ if (err < 0)
+ return err;
+ }
+ break;
+ }
+ return 0;
+}
+
static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt)
{
if (stmt->queue.queue != NULL) {
return stmt_evaluate_redir(ctx, stmt);
case STMT_QUEUE:
return stmt_evaluate_queue(ctx, stmt);
+ case STMT_DUP:
+ return stmt_evaluate_dup(ctx, stmt);
case STMT_SET:
return stmt_evaluate_set(ctx, stmt);
default:
return NULL;
}
-static const struct datatype ifindex_type = {
+const struct datatype ifindex_type = {
.type = TYPE_IFINDEX,
.name = "iface_index",
.desc = "network interface index",
list_add_tail(&stmt->list, &ctx->rule->stmts);
}
+static void netlink_parse_dup(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers reg1, reg2;
+ struct expr *addr, *dev;
+ struct stmt *stmt;
+
+ stmt = dup_stmt_alloc(loc);
+
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_ADDR);
+ if (reg1) {
+ addr = netlink_get_register(ctx, loc, reg1);
+ if (addr == NULL)
+ return netlink_error(ctx, loc,
+ "DUP statement has no destination expression");
+
+ switch (ctx->table->handle.family) {
+ case NFPROTO_IPV4:
+ expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+ break;
+ case NFPROTO_IPV6:
+ expr_set_type(addr, &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN);
+ break;
+ }
+ stmt->dup.to = addr;
+ }
+
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_DEV);
+ if (reg2) {
+ dev = netlink_get_register(ctx, loc, reg2);
+ if (dev == NULL)
+ return netlink_error(ctx, loc,
+ "DUP statement has no output expression");
+
+ expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN);
+ if (stmt->dup.to == NULL)
+ stmt->dup.to = dev;
+ else
+ stmt->dup.dev = dev;
+ }
+
+ list_add_tail(&stmt->list, &ctx->rule->stmts);
+}
+
static void netlink_parse_queue(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
{ .name = "nat", .parse = netlink_parse_nat },
{ .name = "masq", .parse = netlink_parse_masq },
{ .name = "redir", .parse = netlink_parse_redir },
+ { .name = "dup", .parse = netlink_parse_dup },
{ .name = "queue", .parse = netlink_parse_queue },
{ .name = "dynset", .parse = netlink_parse_dynset },
};
case STMT_SET:
expr_postprocess(&rctx, &stmt->set.key);
break;
+ case STMT_DUP:
+ if (stmt->dup.to != NULL)
+ expr_postprocess(&rctx, &stmt->dup.to);
+ if (stmt->dup.dev != NULL)
+ expr_postprocess(&rctx, &stmt->dup.dev);
+ break;
default:
break;
}
#include <netlink.h>
#include <gmputil.h>
#include <utils.h>
+#include <netinet/in.h>
+
+#include <linux/netfilter.h>
+
struct netlink_linearize_ctx {
struct nftnl_rule *nlr;
nftnl_rule_add_expr(ctx->nlr, nle);
}
+static void netlink_gen_dup_stmt(struct netlink_linearize_ctx *ctx,
+ const struct stmt *stmt)
+{
+ struct nftnl_expr *nle;
+ enum nft_registers sreg1, sreg2;
+
+ nle = alloc_nft_expr("dup");
+
+ if (stmt->dup.to != NULL) {
+ if (stmt->dup.to->dtype == &ifindex_type) {
+ sreg1 = get_register(ctx, stmt->dup.to);
+ netlink_gen_expr(ctx, stmt->dup.to, sreg1);
+ netlink_put_register(nle, NFTNL_EXPR_DUP_SREG_DEV, sreg1);
+ } else {
+ sreg1 = get_register(ctx, stmt->dup.to);
+ netlink_gen_expr(ctx, stmt->dup.to, sreg1);
+ netlink_put_register(nle, NFTNL_EXPR_DUP_SREG_ADDR, sreg1);
+ }
+ }
+ if (stmt->dup.dev != NULL) {
+ sreg2 = get_register(ctx, stmt->dup.dev);
+ netlink_gen_expr(ctx, stmt->dup.dev, sreg2);
+ netlink_put_register(nle, NFTNL_EXPR_DUP_SREG_DEV, sreg2);
+ release_register(ctx, stmt->dup.dev);
+ }
+ if (stmt->dup.to != NULL)
+ release_register(ctx, stmt->dup.to);
+
+ nftnl_rule_add_expr(ctx->nlr, nle);
+}
+
static void netlink_gen_queue_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
return netlink_gen_masq_stmt(ctx, stmt);
case STMT_REDIR:
return netlink_gen_redir_stmt(ctx, stmt);
+ case STMT_DUP:
+ return netlink_gen_dup_stmt(ctx, stmt);
case STMT_QUEUE:
return netlink_gen_queue_stmt(ctx, stmt);
case STMT_CT:
%token BYPASS "bypass"
%token FANOUT "fanout"
+%token DUP "dup"
+%token ON "on"
+
%token POSITION "position"
%token COMMENT "comment"
%type <stmt> queue_stmt queue_stmt_alloc
%destructor { stmt_free($$); } queue_stmt queue_stmt_alloc
%type <val> queue_stmt_flags queue_stmt_flag
+%type <stmt> dup_stmt
+%destructor { stmt_free($$); } dup_stmt
%type <stmt> set_stmt
%destructor { stmt_free($$); } set_stmt
%type <val> set_stmt_op
| ct_stmt
| masq_stmt
| redir_stmt
+ | dup_stmt
| set_stmt
;
}
;
+dup_stmt : DUP TO expr
+ {
+ $$ = dup_stmt_alloc(&@$);
+ $$->dup.to = $3;
+ }
+ | DUP TO expr DEVICE expr
+ {
+ $$ = dup_stmt_alloc(&@$);
+ $$->dup.to = $3;
+ $$->dup.dev = $5;
+ }
+ ;
+
nf_nat_flags : nf_nat_flag
| nf_nat_flags COMMA nf_nat_flag
{
"proto-dst" { return PROTO_DST; }
"label" { return LABEL; }
+"dup" { return DUP; }
+
"xml" { return XML; }
"json" { return JSON; }
{
return stmt_alloc(loc, &set_stmt_ops);
}
+
+static void dup_stmt_print(const struct stmt *stmt)
+{
+ printf("dup");
+ if (stmt->dup.to != NULL) {
+ printf(" to ");
+ expr_print(stmt->dup.to);
+
+ if (stmt->dup.dev != NULL) {
+ printf(" device ");
+ expr_print(stmt->dup.dev);
+ }
+ }
+}
+
+static void dup_stmt_destroy(struct stmt *stmt)
+{
+ expr_free(stmt->dup.to);
+ expr_free(stmt->dup.dev);
+}
+
+static const struct stmt_ops dup_stmt_ops = {
+ .type = STMT_DUP,
+ .name = "dup",
+ .print = dup_stmt_print,
+ .destroy = dup_stmt_destroy,
+};
+
+struct stmt *dup_stmt_alloc(const struct location *loc)
+{
+ return stmt_alloc(loc, &dup_stmt_ops);
+}
projects / thirdparty / nftables.git / commitdiff
