diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-09-14 20:51:20 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-09-15 19:03:36 +0200 |
commit | ae1d822630e6dcbac2650a90b2004360d7a51e48 (patch) | |
tree | 77660fadab33dbb52d5748fb9ebb1c299cea3b16 /src/ct.c | |
parent | 30fb63b524f8920ce01531947b7c595813a3ba32 (diff) |
src: context tracking for multiple transport protocols
This patch extends the protocol context infrastructure to track multiple
transport protocols when they are specified from sets.
This removes errors like:
"transport protocol mapping is only valid after transport protocol match"
when invoking:
# nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80
This patch also catches conflicts like:
# nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
and:
# nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
Note that:
- the singleton protocol context tracker is left in place until the
existing users are updated to use this new multiprotocol tracker.
Moving forward, it would be good to consolidate things around this new
multiprotocol context tracker infrastructure.
- link and network layers are not updated to use this infrastructure
yet. The code that deals with vlan conflicts relies on forcing
protocol context updates to the singleton protocol base.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/ct.c')
-rw-r--r-- | src/ct.c | 8 |
1 files changed, 5 insertions, 3 deletions
@@ -351,9 +351,11 @@ static void ct_expr_clone(struct expr *new, const struct expr *expr) new->ct = expr->ct; } -static void ct_expr_pctx_update(struct proto_ctx *ctx, const struct expr *expr) +static void ct_expr_pctx_update(struct proto_ctx *ctx, + const struct location *loc, + const struct expr *left, + const struct expr *right) { - const struct expr *left = expr->left, *right = expr->right; const struct proto_desc *base = NULL, *desc; uint32_t nhproto; @@ -366,7 +368,7 @@ static void ct_expr_pctx_update(struct proto_ctx *ctx, const struct expr *expr) if (!desc) return; - proto_ctx_update(ctx, left->ct.base + 1, &expr->location, desc); + proto_ctx_update(ctx, left->ct.base + 1, loc, desc); } #define NFTNL_UDATA_CT_KEY 0 |