* @EXPR_PAYLOAD: payload expression
* @EXPR_EXTHDR: exthdr expression
* @EXPR_META: meta expression
+ * @EXPR_SOCKET: socket expression
* @EXPR_CT: conntrack expression
* @EXPR_CONCAT: concatenation
* @EXPR_LIST: list of expressions
EXPR_PAYLOAD,
EXPR_EXTHDR,
EXPR_META,
+ EXPR_SOCKET,
EXPR_CT,
EXPR_CONCAT,
EXPR_LIST,
#include <rt.h>
#include <hash.h>
#include <ct.h>
+#include <socket.h>
/**
* struct expr
enum nft_meta_keys key;
enum proto_bases base;
} meta;
+ struct {
+ /* SOCKET */
+ enum nft_socket_keys key;
+ } socket;
struct {
/* EXPR_RT */
enum nft_rt_keys key;
};
#define NFTA_RT_MAX (__NFTA_RT_MAX - 1)
+/**
+ * enum nft_socket_attributes - nf_tables socket expression netlink attributes
+ *
+ * @NFTA_SOCKET_KEY: socket key to match
+ * @NFTA_SOCKET_DREG: destination register
+ */
+enum nft_socket_attributes {
+ NFTA_SOCKET_UNSPEC,
+
+ NFTA_SOCKET_KEY,
+ NFTA_SOCKET_DREG,
+
+ __NFTA_SOCKET_MAX
+};
+#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1)
+
+/*
+ * enum nft_socket_keys - nf_tables socket expression keys
+ *
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ */
+enum nft_socket_keys {
+ NFT_SOCKET_TRANSPARENT,
+
+ __NFT_SOCKET_MAX
+};
+#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
+
/**
* enum nft_ct_keys - nf_tables ct expression keys
*
--- /dev/null
+#ifndef NFTABLES_SOCKET_H
+#define NFTABLES_SOCKET_H
+
+//#include <parser.h>
+
+/**
+ * struct rt_template - template for routing expressions
+ *
+ * @token: parser token for the expression
+ * @dtype: data type of the expression
+ * @len: length of the expression
+ * @byteorder: byteorder
+ */
+struct socket_template {
+ const char *token;
+ const struct datatype *dtype;
+ unsigned int len;
+ enum byteorder byteorder;
+};
+
+extern struct expr *socket_expr_alloc(const struct location *loc,
+ enum nft_socket_keys key);
+
+#endif /* NFTABLES_SOCKET_H */
services.c \
mergesort.c \
tcpopt.c \
+ socket.c \
libnftables.c
# yacc and lex generate dirty code
return expr_evaluate_primary(ctx, exprp);
}
+static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
+{
+ __expr_set_context(&ctx->ectx, (*expr)->dtype, (*expr)->byteorder,
+ (*expr)->len, 1);
+ return 0;
+}
+
static int expr_evaluate_variable(struct eval_ctx *ctx, struct expr **exprp)
{
struct expr *new = expr_clone((*exprp)->sym->expr);
return expr_evaluate_primary(ctx, expr);
case EXPR_META:
return expr_evaluate_meta(ctx, expr);
+ case EXPR_SOCKET:
+ return expr_evaluate_socket(ctx, expr);
case EXPR_FIB:
return expr_evaluate_fib(ctx, expr);
case EXPR_PAYLOAD:
netlink_set_register(ctx, dreg, expr);
}
+static void netlink_parse_socket(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ uint32_t key;
+ struct expr * expr;
+
+ key = nftnl_expr_get_u32(nle, NFTNL_EXPR_SOCKET_KEY);
+ expr = socket_expr_alloc(loc, key);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_SOCKET_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
static void netlink_parse_meta_stmt(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
{ .name = "payload", .parse = netlink_parse_payload },
{ .name = "exthdr", .parse = netlink_parse_exthdr },
{ .name = "meta", .parse = netlink_parse_meta },
+ { .name = "socket", .parse = netlink_parse_socket },
{ .name = "rt", .parse = netlink_parse_rt },
{ .name = "ct", .parse = netlink_parse_ct },
{ .name = "connlimit", .parse = netlink_parse_connlimit },
case EXPR_VERDICT:
case EXPR_NUMGEN:
case EXPR_FIB:
+ case EXPR_SOCKET:
break;
case EXPR_HASH:
if (expr->hash.expr)
nftnl_rule_add_expr(ctx->nlr, nle);
}
+static void netlink_gen_socket(struct netlink_linearize_ctx *ctx,
+ const struct expr *expr,
+ enum nft_registers dreg)
+{
+ struct nftnl_expr *nle;
+
+ nle = alloc_nft_expr("socket");
+ netlink_put_register(nle, NFTNL_EXPR_SOCKET_DREG, dreg);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_SOCKET_KEY, expr->socket.key);
+ nftnl_rule_add_expr(ctx->nlr, nle);
+}
+
static void netlink_gen_numgen(struct netlink_linearize_ctx *ctx,
const struct expr *expr,
enum nft_registers dreg)
return netlink_gen_hash(ctx, expr, dreg);
case EXPR_FIB:
return netlink_gen_fib(ctx, expr, dreg);
+ case EXPR_SOCKET:
+ return netlink_gen_socket(ctx, expr, dreg);
default:
BUG("unknown expression type %s\n", expr->ops->name);
}
%token FIB "fib"
+%token SOCKET "socket"
+%token TRANSPARENT "transparent"
+
%token HOOK "hook"
%token DEVICE "device"
%token DEVICES "devices"
%destructor { expr_free($$); } meta_expr
%type <val> meta_key meta_key_qualified meta_key_unqualified numgen_type
+%type <expr> socket_expr
+%destructor { expr_free($$); } socket_expr
+%type<val> socket_key
+
%type <val> nf_key_proto
%type <expr> rt_expr
| exthdr_expr { $$ = $1; }
| exthdr_exists_expr { $$ = $1; }
| meta_expr { $$ = $1; }
+ | socket_expr { $$ = $1; }
| rt_expr { $$ = $1; }
| ct_expr { $$ = $1; }
| numgen_expr { $$ = $1; }
}
;
+socket_expr : SOCKET socket_key
+ {
+ $$ = socket_expr_alloc(&@$, $2);
+ }
+ ;
+
+socket_key : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+ ;
+
offset_opt : /* empty */ { $$ = 0; }
| OFFSET NUM { $$ = $2; }
;
"ruleset" { return RULESET; }
"trace" { return TRACE; }
+"socket" { return SOCKET; }
+"transparent" { return TRANSPARENT;}
+
"accept" { return ACCEPT; }
"drop" { return DROP; }
"continue" { return CONTINUE; }
--- /dev/null
+/*
+ * Socket expression/statement related definition and types.
+ *
+ * Copyright (c) 2018 Máté Eckl <ecklm94@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <nftables.h>
+#include <expression.h>
+#include <socket.h>
+
+const struct socket_template socket_templates[] = {
+ [NFT_SOCKET_TRANSPARENT] = {.token = "transparent",
+ .dtype = &integer_type,
+ .len = BITS_PER_BYTE,
+ .byteorder = BYTEORDER_HOST_ENDIAN,
+ }
+};
+
+static void socket_expr_print(const struct expr *expr, struct output_ctx *octx)
+{
+ nft_print(octx, "socket %s", socket_templates[expr->socket.key].token);
+}
+
+static bool socket_expr_cmp(const struct expr *e1, const struct expr *e2)
+{
+ return e1->socket.key == e2->socket.key;
+}
+
+static void socket_expr_clone(struct expr *new, const struct expr *expr)
+{
+ new->socket.key = expr->socket.key;
+}
+
+static const struct expr_ops socket_expr_ops = {
+ .type = EXPR_SOCKET,
+ .name = "socket",
+ .print = socket_expr_print,
+ .cmp = socket_expr_cmp,
+ .clone = socket_expr_clone,
+};
+
+struct expr *socket_expr_alloc(const struct location *loc, enum nft_socket_keys key)
+{
+ const struct socket_template *tmpl = &socket_templates[key];
+ struct expr *expr;
+
+ expr = expr_alloc(loc, &socket_expr_ops, tmpl->dtype,
+ tmpl->byteorder, tmpl->len);
+ expr->socket.key = key;
+
+ return expr;
+}
projects / thirdparty / nftables.git / commitdiff
