diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-10-18 20:02:16 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-11-02 12:51:36 +0100 |
| commit | b851ba4731d9f7c5e38889875a83173fcc4d3f16 (patch) | |
| tree | 3ca89f5c184998ece7216eae4d9095807cb7ef0f /src/netlink_linearize.c | |
| parent | 0721fbbe7a951a1e879d120c7a722012c38af9a6 (diff) | |
src: add interface wildcard matching
Contrary to iptables, we use the asterisk character '*' as wildcard.
# nft --debug=netlink add rule test test iifname eth\*
ip test test
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x00687465 ]
Note that this generates an optimized comparison without bitwise.
In case you want to match a device that contains an asterisk, you have
to escape the asterisk, ie.
# nft add rule test test iifname eth\\*
The wildcard string handling occurs from the evaluation step, where we
convert from:
relational
/ \
/ \
meta value
oifname eth*
to:
relational
/ \
/ \
meta prefix
ofiname
As Patrick suggested, this not actually a wildcard but a prefix since it
only applies to the string when placed at the end.
More comments:
* This relaxes the left->size > right->size from netlink_parse_cmp()
for strings since the optimization that this patch applies may now
result in bogus errors.
* This patch can be later on extended to apply a similar optimization to
payload expressions when:
expr->len % BITS_PER_BYTE == 0
For meta and ct, the kernel checks for the exact length of the attributes
(it expects integer 32 bits) so we can't do it unless we relax that.
* Wildcard strings are not supported from sets and maps yet. Error
reporting is not very good at this stage since expr_evaluate_prefix()
doesn't have enough context (ctx->set is NULL, the set object is
currently created later after evaluating the lhs and rhs of the
relational). I'll be following up on this later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_linearize.c')
| -rw-r--r-- | src/netlink_linearize.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index a4cd370d..c9af0365 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -325,6 +325,7 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, struct nftnl_expr *nle; enum nft_registers sreg; struct expr *right; + int len; assert(dreg == NFT_REG_VERDICT); @@ -332,14 +333,24 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, return netlink_gen_range(ctx, expr, dreg); sreg = get_register(ctx, expr->left); - netlink_gen_expr(ctx, expr->left, sreg); switch (expr->right->ops->type) { case EXPR_PREFIX: - right = netlink_gen_prefix(ctx, expr, sreg); + if (expr->left->dtype->type != TYPE_STRING) { + len = div_round_up(expr->right->len, BITS_PER_BYTE); + netlink_gen_expr(ctx, expr->left, sreg); + right = netlink_gen_prefix(ctx, expr, sreg); + } else { + len = div_round_up(expr->right->prefix_len, BITS_PER_BYTE); + right = expr->right->prefix; + expr->left->len = expr->right->prefix_len; + netlink_gen_expr(ctx, expr->left, sreg); + } break; default: + len = div_round_up(expr->right->len, BITS_PER_BYTE); right = expr->right; + netlink_gen_expr(ctx, expr->left, sreg); break; } @@ -349,7 +360,7 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx, netlink_gen_cmp_op(expr->op)); payload_shift_value(expr->left, right); netlink_gen_data(right, &nld); - nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, nld.len); + nftnl_expr_set(nle, NFTNL_EXPR_CMP_DATA, nld.value, len); release_register(ctx, expr->left); nftnl_rule_add_expr(ctx->nlr, nle); |