diff options
| author | Florian Westphal <fw@strlen.de> | 2019-07-13 19:23:27 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2019-07-15 12:28:57 +0200 |
| commit | a43a696443a150f448d182fe708a43d7279de715 (patch) | |
| tree | 2e6bb18b51cea409aa963f239946cc66ab7cd4d7 /src | |
| parent | 87c0bee7f04917623c35e850ad223222a93520d1 (diff) | |
proto: add pseudo th protocol to match d/sport in generic way
Problem: Its not possible to easily match both udp and tcp in a single
rule.
... input ip protocol { tcp,udp } dport 53
will not work, as bison expects "tcp dport" or "sctp dport", or any
other transport protocol name.
Its possible to match the sport and dport via raw payload expressions,
e.g.:
... input ip protocol { tcp,udp } @th,16,16 53
but its not very readable.
Furthermore, its not possible to use this for set definitions:
table inet filter {
set myset {
type ipv4_addr . inet_proto . inet_service
}
chain forward {
type filter hook forward priority filter; policy accept;
ip daddr . ip protocol . @th,0,16 @myset
}
}
# nft -f test
test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions
During the netfilter workshop Pablo suggested to add an alias to do raw
sport/dport matching more readable, and make it use the inet_service
type automatically.
So, this change makes @th,0,16 work for the set definition case by
setting the data type to inet_service.
A new "th s|dport" syntax is provided as readable alternative:
ip protocol { tcp, udp } th dport 53
As "th" is an alias for the raw expression, no dependency is
generated -- its the users responsibility to add a suitable test to
select the l4 header types that should be matched.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/parser_bison.y | 16 | ||||
| -rw-r--r-- | src/payload.c | 23 | ||||
| -rw-r--r-- | src/proto.c | 12 |
3 files changed, 51 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index a4905f2a..0a387f61 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -719,6 +719,9 @@ int nft_lex(void *, void *, void *); %type <expr> dccp_hdr_expr sctp_hdr_expr %destructor { expr_free($$); } dccp_hdr_expr sctp_hdr_expr %type <val> dccp_hdr_field sctp_hdr_field +%type <expr> th_hdr_expr +%destructor { expr_free($$); } th_hdr_expr +%type <val> th_hdr_field %type <expr> exthdr_expr %destructor { expr_free($$); } exthdr_expr @@ -4198,6 +4201,7 @@ payload_expr : payload_raw_expr | tcp_hdr_expr | dccp_hdr_expr | sctp_hdr_expr + | th_hdr_expr ; payload_raw_expr : AT payload_base_spec COMMA NUM COMMA NUM @@ -4487,6 +4491,18 @@ sctp_hdr_field : SPORT { $$ = SCTPHDR_SPORT; } | CHECKSUM { $$ = SCTPHDR_CHECKSUM; } ; +th_hdr_expr : TRANSPORT_HDR th_hdr_field + { + $$ = payload_expr_alloc(&@$, &proto_th, $2); + if ($$) + $$->payload.is_raw = true; + } + ; + +th_hdr_field : SPORT { $$ = THDR_SPORT; } + | DPORT { $$ = THDR_DPORT; } + ; + exthdr_expr : hbh_hdr_expr | rt_hdr_expr | rt0_hdr_expr diff --git a/src/payload.c b/src/payload.c index 3bf1ecc7..abd5339c 100644 --- a/src/payload.c +++ b/src/payload.c @@ -172,10 +172,33 @@ struct expr *payload_expr_alloc(const struct location *loc, void payload_init_raw(struct expr *expr, enum proto_bases base, unsigned int offset, unsigned int len) { + enum th_hdr_fields thf; + expr->payload.base = base; expr->payload.offset = offset; expr->len = len; expr->dtype = &integer_type; + + if (base != PROTO_BASE_TRANSPORT_HDR) + return; + if (len != 16) + return; + + switch (offset) { + case 0: + thf = THDR_SPORT; + /* fall through */ + case 16: + if (offset == 16) + thf = THDR_DPORT; + expr->payload.tmpl = &proto_th.templates[thf]; + expr->payload.desc = &proto_th; + expr->dtype = &inet_service_type; + expr->payload.desc = &proto_th; + break; + default: + break; + } } unsigned int payload_hdr_field(const struct expr *expr) diff --git a/src/proto.c b/src/proto.c index 67e86f20..40ce590e 100644 --- a/src/proto.c +++ b/src/proto.c @@ -562,6 +562,18 @@ const struct proto_desc proto_sctp = { }; /* + * Dummy Transpor Header (common udp/tcp/dccp/sctp fields) + */ +const struct proto_desc proto_th = { + .name = "th", + .base = PROTO_BASE_TRANSPORT_HDR, + .templates = { + [THDR_SPORT] = INET_SERVICE("sport", struct udphdr, source), + [THDR_DPORT] = INET_SERVICE("dport", struct udphdr, dest), + }, +}; + +/* * IPv4 */ |