diff options
| author | Florian Westphal <fw@strlen.de> | 2018-08-29 11:37:40 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-08-29 23:53:54 +0200 |
| commit | bb594473acd532aee6a268a6b27fd529ac71d4b5 (patch) | |
| tree | 45b2c657c37b7a94baa20a5f3562b94042b7f72f /src/evaluate.c | |
| parent | 92029c1282958aad13eb8602c67b73caf2a08a09 (diff) | |
src: tproxy: relax family restrictions
evaluation step currently prohibits
tproxy ip to 1.2.3.4 in ip family, and
tproxy ip6 to dead::1 in ip6.
This seems an arbitrary limitation, just accept this.
The current restriction would make json output support harder than needed,
as the tproxy expression generated from json path would have to
special-case the table its currently in, rather than just using the
family attribute in the json output.
We obviously still reject the family in case it mismatches
the table family (e.g., can't use ip address in ip6 table).
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'src/evaluate.c')
| -rw-r--r-- | src/evaluate.c | 30 |
1 files changed, 13 insertions, 17 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 685924df..a3a78744 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2487,12 +2487,16 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt) static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt) { + const struct proto_desc *nproto; const struct datatype *dtype; int err, len; switch (ctx->pctx.family) { case NFPROTO_IPV4: - case NFPROTO_IPV6: + case NFPROTO_IPV6: /* fallthrough */ + if (stmt->tproxy.family == NFPROTO_UNSPEC) + stmt->tproxy.family = ctx->pctx.family; + break; case NFPROTO_INET: break; default: @@ -2507,22 +2511,14 @@ static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt) if (!stmt->tproxy.addr && !stmt->tproxy.port) return stmt_error(ctx, stmt, "Either address or port must be specified!"); - if (ctx->pctx.family != NFPROTO_INET) { - if (stmt->tproxy.family != NFPROTO_UNSPEC) - return stmt_error(ctx, stmt, "Family can only be specified in inet tables."); - stmt->tproxy.family = ctx->pctx.family; - } - else { - const struct proto_desc *nproto = - ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; - if ((nproto == &proto_ip && stmt->tproxy.family == NFPROTO_IPV6) || - (nproto == &proto_ip6 && stmt->tproxy.family == NFPROTO_IPV4)) - /* this prevents us from rules like - * ip protocol tcp tproxy ip6 to [dead::beef] - */ - return stmt_error(ctx, stmt, - "Conflicting network layer protocols."); - } + nproto = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + if ((nproto == &proto_ip && stmt->tproxy.family != NFPROTO_IPV4) || + (nproto == &proto_ip6 && stmt->tproxy.family != NFPROTO_IPV6)) + /* this prevents us from rules like + * ip protocol tcp tproxy ip6 to [dead::beef] + */ + return stmt_error(ctx, stmt, + "Conflicting network layer protocols."); if (stmt->tproxy.addr != NULL) { if (stmt->tproxy.addr->ops->type == EXPR_RANGE) |