nft-shared: support native tcp port delinearize

This extends iptables-nft dissector to decode native tcp port matching. nft ruleset: table ip filter { chain INPUT { type filter hook input priority filter; policy accept; tcp sport 12345 tcp sport 12345 tcp dport 6789 tcp sport < 1024 tcp dport >= 1024 } } $ iptables-nft-save -A INPUT -p tcp -m tcp --sport 12345 -A INPUT -p tcp -m tcp --sport 12345 --dport 6789 -A INPUT -p tcp -m tcp --sport 0:1023 -A INPUT -p tcp -m tcp --dport 1024:65535 This would allow to extend iptables-nft to prefer native payload expressions for --sport,dport in the future. Also, parse_cmp must not clear the "payload" flag, this is because cmp-based range expressions will contain following sequence: payload => reg1 cmp reg1 > minv cmp reg1 < maxv ... so second cmp would work. Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2022-01-25 17:52:55 +0100
committer: Florian Westphal <fw@strlen.de> 2022-01-29 13:33:36 +0100
commit: 250dce876d924b9467ffa035af445912e86ea93b (patch)
tree: 751301bbe5e70794459498ca3f9fdaff1ab2154a /iptables/nft-shared.h
parent: ea5d45dc23a4529a2a45c59ac6c13b61297c789e (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index c3241f4b..0a8be709 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -53,6 +53,9 @@ struct nft_xt_ctx {
 	struct nft_handle *h;
 	uint32_t flags;
 	const char *table;
+	union {
+		struct xt_tcp *tcp;
+	} tcpudp;
 
 	uint32_t reg;
 	struct {
author	Florian Westphal <fw@strlen.de>	2022-01-25 17:52:55 +0100
committer	Florian Westphal <fw@strlen.de>	2022-01-29 13:33:36 +0100
commit	250dce876d924b9467ffa035af445912e86ea93b (patch)
tree	751301bbe5e70794459498ca3f9fdaff1ab2154a /iptables/nft-shared.h
parent	ea5d45dc23a4529a2a45c59ac6c13b61297c789e (diff)