static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt)
{
+ const struct proto_desc *nproto;
const struct datatype *dtype;
int err, len;
switch (ctx->pctx.family) {
case NFPROTO_IPV4:
- case NFPROTO_IPV6:
+ case NFPROTO_IPV6: /* fallthrough */
+ if (stmt->tproxy.family == NFPROTO_UNSPEC)
+ stmt->tproxy.family = ctx->pctx.family;
+ break;
case NFPROTO_INET:
break;
default:
if (!stmt->tproxy.addr && !stmt->tproxy.port)
return stmt_error(ctx, stmt, "Either address or port must be specified!");
- if (ctx->pctx.family != NFPROTO_INET) {
- if (stmt->tproxy.family != NFPROTO_UNSPEC)
- return stmt_error(ctx, stmt, "Family can only be specified in inet tables.");
- stmt->tproxy.family = ctx->pctx.family;
- }
- else {
- const struct proto_desc *nproto =
- ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
- if ((nproto == &proto_ip && stmt->tproxy.family == NFPROTO_IPV6) ||
- (nproto == &proto_ip6 && stmt->tproxy.family == NFPROTO_IPV4))
- /* this prevents us from rules like
- * ip protocol tcp tproxy ip6 to [dead::beef]
- */
- return stmt_error(ctx, stmt,
- "Conflicting network layer protocols.");
- }
+ nproto = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+ if ((nproto == &proto_ip && stmt->tproxy.family != NFPROTO_IPV4) ||
+ (nproto == &proto_ip6 && stmt->tproxy.family != NFPROTO_IPV6))
+ /* this prevents us from rules like
+ * ip protocol tcp tproxy ip6 to [dead::beef]
+ */
+ return stmt_error(ctx, stmt,
+ "Conflicting network layer protocols.");
if (stmt->tproxy.addr != NULL) {
if (stmt->tproxy.addr->ops->type == EXPR_RANGE)
meta l4proto 17 tproxy to 192.0.2.1;ok
meta l4proto 6 tproxy to 192.0.2.1:50080;ok
ip protocol 6 tproxy to :50080;ok
-meta l4proto 17 tproxy ip to 192.0.2.1;fail
-meta l4proto 6 tproxy ip to 192.0.2.1:50080;fail
+meta l4proto 17 tproxy ip to 192.0.2.1;ok;meta l4proto 17 tproxy to 192.0.2.1
+meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok;meta l4proto 6 tproxy to 192.0.2.1:50080
ip protocol 6 tproxy ip to :50080;fail
[ immediate reg 1 0x0000a0c3 ]
[ tproxy ip port reg 1 ]
+# meta l4proto 17 tproxy ip to 192.0.2.1
+ip x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x010200c0 ]
+ [ tproxy ip addr reg 1 ]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+ip x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x010200c0 ]
+ [ immediate reg 2 0x0000a0c3 ]
+ [ tproxy ip addr reg 1 port reg 2 ]
meta l4proto 6 tproxy to [2001:db8::1];ok
meta l4proto 17 tproxy to [2001:db8::1]:50080;ok
meta l4proto 6 tproxy to :50080;ok
-meta l4proto 6 tproxy ip6 to [2001:db8::1];fail
-meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;fail
+meta l4proto 6 tproxy ip6 to [2001:db8::1];ok;meta l4proto 6 tproxy to [2001:db8::1]
+meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok;meta l4proto 17 tproxy to [2001:db8::1]:50080
meta l4proto 6 tproxy ip6 to :50080;fail
-
-
[ immediate reg 1 0x0000a0c3 ]
[ tproxy ip6 port reg 1 ]
-# meta l4proto 6 tproxy to [2001:db8::1]
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
ip6 x y
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
[ tproxy ip6 addr reg 1 ]
-# meta l4proto 17 tproxy to [2001:db8::1]:50080
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
ip6 x y
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000011 ]
[ immediate reg 2 0x0000a0c3 ]
[ tproxy ip6 addr reg 1 port reg 2 ]
-# meta l4proto 6 tproxy to :50080
-ip6 x y
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ immediate reg 1 0x0000a0c3 ]
- [ tproxy ip6 port reg 1 ]
-
projects / thirdparty / nftables.git / commitdiff
