diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-14 22:19:07 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-14 22:19:12 +0100 |
commit | a84921d7c0de950632ab4630dd4f7ad763e9e453 (patch) | |
tree | a2077597cf08c04df2066d1b21d60874f94d36c7 | |
parent | 75bbb065740e184a8d910db014fdb8949cc5f18e (diff) |
src: add notrack support
This patch adds the notrack statement, to skip connection tracking for
certain packets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | include/ct.h | 3 | ||||
-rw-r--r-- | include/statement.h | 2 | ||||
-rw-r--r-- | src/ct.c | 16 | ||||
-rw-r--r-- | src/evaluate.c | 1 | ||||
-rw-r--r-- | src/netlink_delinearize.c | 8 | ||||
-rw-r--r-- | src/netlink_linearize.c | 11 | ||||
-rw-r--r-- | src/parser_bison.y | 6 | ||||
-rw-r--r-- | src/scanner.l | 2 | ||||
-rw-r--r-- | tests/py/any/ct.t | 2 | ||||
-rw-r--r-- | tests/py/any/ct.t.payload | 4 |
10 files changed, 55 insertions, 0 deletions
diff --git a/include/ct.h b/include/ct.h index 0aeeed60..03e76e61 100644 --- a/include/ct.h +++ b/include/ct.h @@ -31,4 +31,7 @@ extern struct error_record *ct_dir_parse(const struct location *loc, const char *str, int8_t *dir); extern struct error_record *ct_key_parse(const struct location *loc, const char *str, unsigned int *key); + +extern struct stmt *notrack_stmt_alloc(const struct location *loc); + #endif /* NFTABLES_CT_H */ diff --git a/include/statement.h b/include/statement.h index e278b706..fe83717f 100644 --- a/include/statement.h +++ b/include/statement.h @@ -208,6 +208,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc); * @STMT_FWD: forward statement * @STMT_XT: XT statement * @STMT_QUOTA: quota statement + * @STMT_NOTRACK: notrack statement */ enum stmt_types { STMT_INVALID, @@ -230,6 +231,7 @@ enum stmt_types { STMT_FWD, STMT_XT, STMT_QUOTA, + STMT_NOTRACK, }; /** @@ -414,6 +414,22 @@ struct stmt *ct_stmt_alloc(const struct location *loc, enum nft_ct_keys key, return stmt; } +static void notrack_stmt_print(const struct stmt *stmt) +{ + printf("notrack"); +} + +static const struct stmt_ops notrack_stmt_ops = { + .type = STMT_NOTRACK, + .name = "notrack", + .print = notrack_stmt_print, +}; + +struct stmt *notrack_stmt_alloc(const struct location *loc) +{ + return stmt_alloc(loc, ¬rack_stmt_ops); +} + static void __init ct_init(void) { datatype_register(&ct_state_type); diff --git a/src/evaluate.c b/src/evaluate.c index 878efacd..c60e0f11 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2478,6 +2478,7 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt) case STMT_COUNTER: case STMT_LIMIT: case STMT_QUOTA: + case STMT_NOTRACK: return 0; case STMT_EXPRESSION: return stmt_evaluate_expr(ctx, stmt); diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 434089b7..66d38caa 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -635,6 +635,13 @@ static void netlink_parse_numgen(struct netlink_parse_ctx *ctx, netlink_set_register(ctx, dreg, expr); } +static void netlink_parse_notrack(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nftnl_expr *nle) +{ + ctx->stmt = notrack_stmt_alloc(loc); +} + static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle) @@ -1127,6 +1134,7 @@ static const struct { { .name = "range", .parse = netlink_parse_range }, { .name = "reject", .parse = netlink_parse_reject }, { .name = "nat", .parse = netlink_parse_nat }, + { .name = "notrack", .parse = netlink_parse_notrack }, { .name = "masq", .parse = netlink_parse_masq }, { .name = "redir", .parse = netlink_parse_redir }, { .name = "dup", .parse = netlink_parse_dup }, diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 6c0f39bf..2bee6844 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -1095,6 +1095,15 @@ static void netlink_gen_ct_stmt(struct netlink_linearize_ctx *ctx, nftnl_rule_add_expr(ctx->nlr, nle); } +static void netlink_gen_notrack_stmt(struct netlink_linearize_ctx *ctx, + const struct stmt *stmt) +{ + struct nftnl_expr *nle; + + nle = alloc_nft_expr("notrack"); + nftnl_rule_add_expr(ctx->nlr, nle); +} + static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx, const struct stmt *stmt) { @@ -1190,6 +1199,8 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx, nle = netlink_gen_stmt_stateful(ctx, stmt); nftnl_rule_add_expr(ctx->nlr, nle); break; + case STMT_NOTRACK: + return netlink_gen_notrack_stmt(ctx, stmt); default: BUG("unknown statement type %s\n", stmt->ops->name); } diff --git a/src/parser_bison.y b/src/parser_bison.y index 74f24a52..91955c18 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -425,6 +425,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token XML "xml" %token JSON "json" +%token NOTRACK "notrack" + %type <string> identifier type_identifier string comment_spec %destructor { xfree($$); } identifier type_identifier string comment_spec @@ -2564,6 +2566,10 @@ meta_stmt : META meta_key SET expr $$ = meta_stmt_alloc(&@$, key, $4); } + | NOTRACK + { + $$ = notrack_stmt_alloc(&@$); + } ; offset_opt : /* empty */ { $$ = 0; } diff --git a/src/scanner.l b/src/scanner.l index 9cb8d778..cd7398b4 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -467,6 +467,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "fib" { return FIB; } +"notrack" { return NOTRACK; } + "xml" { return XML; } "json" { return JSON; } diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index cc4f8e19..7cb49c26 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -101,3 +101,5 @@ ct invalid;fail ct invalid original;fail ct set invalid original 42;fail ct set invalid 42;fail + +notrack;ok diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index 746b75e3..26aeec31 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -341,3 +341,7 @@ ip test-ip4 output [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x80000000 ] [ ct set label with reg 1 ] +# notrack +ip test-ip4 output + [ notrack ] + |