summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2017-06-16 21:18:45 +0200
committerFlorian Westphal <fw@strlen.de>2017-06-18 23:28:57 +0200
commitfda79e96bcaa5fc927523b582bfc42c8ad22deca (patch)
treeac5060ff4c428e80a6b7e4bd430315a292e5ceb2
parent7e1ff143442c6c9428f2a1cdb7c751216407437c (diff)
evaluate: reject meta nfproto outside of inet family
meta nfproto loads the hook family type of the current rule context in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family, NFPROTO_BRIDGE for bridge and so on. The only case where this is useful is the inet pseudo family, where this is useful to determine the real hook family (NFPROTO_IPV4 or NFPROTO_IPV6). In all other families 'meta nfproto' is either always true or false. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--doc/nft.xml9
-rw-r--r--src/evaluate.c15
2 files changed, 22 insertions, 2 deletions
diff --git a/doc/nft.xml b/doc/nft.xml
index d0d37396..e9ccd63c 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -478,7 +478,9 @@ filter input iif $int_ifs accept
</simplelist>.
The <literal>inet</literal> address family is a dummy family which is used to create
- hybrid IPv4/IPv6 tables.
+ hybrid IPv4/IPv6 tables. The <literal>meta</literal> expression <literal>nfproto</literal>
+ keyword can be used to test which family (ipv4 or ipv6) context the packet is being processed in.
+
When no address family is specified, <literal>ip</literal> is used by default.
</para>
@@ -1907,6 +1909,11 @@ filter output icmpv6 type { echo-request, echo-reply }
<entry>integer (32 bit)</entry>
</row>
<row>
+ <entry>nfproto</entry>
+ <entry>real hook protocol family, useful only in inet table</entry>
+ <entry>integer (32 bit)</entry>
+ </row>
+ <row>
<entry>protocol</entry>
<entry>Ethertype protocol value</entry>
<entry>ether_type</entry>
diff --git a/src/evaluate.c b/src/evaluate.c
index 04367ced..cee99272 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1692,6 +1692,18 @@ static int expr_evaluate_fib(struct eval_ctx *ctx, struct expr **exprp)
return expr_evaluate_primary(ctx, exprp);
}
+static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp)
+{
+ struct expr *meta = *exprp;
+
+ if (ctx->pctx.family != NFPROTO_INET &&
+ meta->flags & EXPR_F_PROTOCOL &&
+ meta->meta.key == NFT_META_NFPROTO)
+ return expr_error(ctx->msgs, meta,
+ "meta nfproto is only useful in the inet family");
+ return expr_evaluate_primary(ctx, exprp);
+}
+
static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
{
#ifdef DEBUG
@@ -1715,8 +1727,9 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
case EXPR_EXTHDR:
return expr_evaluate_exthdr(ctx, expr);
case EXPR_VERDICT:
- case EXPR_META:
return expr_evaluate_primary(ctx, expr);
+ case EXPR_META:
+ return expr_evaluate_meta(ctx, expr);
case EXPR_FIB:
return expr_evaluate_fib(ctx, expr);
case EXPR_PAYLOAD: