diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-22 19:12:24 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-24 14:06:09 +0200 |
commit | da015ff415f021294aed8668ddf212acb279cd68 (patch) | |
tree | c5d181ee2720c8710c7810d0e750c9d9452b19e1 /src/netlink.c | |
parent | aae836a7aa628af4d4d5dd97d0eefa898e8f5245 (diff) |
netlink: fix network address prefix
eg. nft add rule filter output ip daddr 192.168.1.0/24 counter
so far, this operation was only possible using sets.
nft add rule filter output ip daddr \{ 192.168.1.0/24 \} counter
While at it, move all binop postprocess code to a new function that
contains this transformation and the existing bitmask to constant
(as used by eg. ct state new,established).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r-- | src/netlink.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/netlink.c b/src/netlink.c index d835281c..2a7bdb56 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -228,6 +228,28 @@ static void netlink_gen_verdict(const struct expr *expr, } } +static void netlink_gen_prefix(const struct expr *expr, + struct nft_data_linearize *data) +{ + uint32_t i, cidr, idx; + uint32_t mask; + + assert(expr->ops->type == EXPR_PREFIX); + + data->len = div_round_up(expr->prefix->len, BITS_PER_BYTE); + cidr = expr->prefix_len; + + for (i = 0; i < data->len; i+= 32) { + if (cidr - i >= 32) + mask = 0; + else + mask = (1 << cidr) - 1; + + idx = i / 32; + data->value[idx] = mask; + } +} + void netlink_gen_data(const struct expr *expr, struct nft_data_linearize *data) { switch (expr->ops->type) { @@ -237,6 +259,8 @@ void netlink_gen_data(const struct expr *expr, struct nft_data_linearize *data) return netlink_gen_concat_data(expr, data); case EXPR_VERDICT: return netlink_gen_verdict(expr, data); + case EXPR_PREFIX: + return netlink_gen_prefix(expr, data); default: BUG("invalid data expression type %s\n", expr->ops->name); } |